Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-20093: PoDoFo / Tickets / #75 podofo 0.9.6 NULL pointer dereference caused in `ImageExtractor::ExtractImage(PdfObject*, bool)`

The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file, because of ImageExtractor.cpp.

CVE
Open in Source
#vulnerability#dos#pdf
  • Summary
  • Files
  • Reviews
  • Support
  • Wiki
  • Mailing Lists
  • News
  • Donate
  • Code
  • Tickets

Menu ▾ ▴

Status: closed

Updated: 2021-08-18

Created: 2019-12-24

Private: No

There is a null pointer dereference vulnerability in PoDoFo::PdfVariant::DelayedLoad in PdfVariant.h caused by ImageExtractor.cpp:124.

gdb output

Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>: push rbp) RCX: 0x0 RDX: 0x5555557ae018 --> 0x0 RSI: 0x7fffffffd9d0 --> 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>: push rbp) RDI: 0x0 RBP: 0x7fffffffd9a0 --> 0x7fffffffd9e0 --> 0x7fffffffdac0 --> 0x7fffffffdce0 --> 0x7fffffffdf50 --> 0x55555570a640 (<__libc_csu_init>: push r15) RSP: 0x7fffffffd990 --> 0x7fffffffd9d0 --> 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>: push rbp) RIP: 0x5555556323ee (<PoDoFo::PdfVariant::DelayedLoad() const+16>: movzx eax,BYTE PTR [rax+0x13]) R8 : 0x0 R9 : 0x7fffffffda90 --> 0x746867696548 (‘Height’) R10: 0x555555711562 --> 0x365000000000000a (‘\n’) R11: 0x246 R12: 0x555555630ec0 (<_start>: xor ebp,ebp) R13: 0x7fffffffe030 --> 0x3 R14: 0x0 R15: 0x0 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x5555556323e2 <PoDoFo::PdfVariant::DelayedLoad() const+4>: sub rsp,0x10 0x5555556323e6 <PoDoFo::PdfVariant::DelayedLoad() const+8>: mov QWORD PTR [rbp-0x8],rdi 0x5555556323ea <PoDoFo::PdfVariant::DelayedLoad() const+12>: mov rax,QWORD PTR [rbp-0x8] => 0x5555556323ee <PoDoFo::PdfVariant::DelayedLoad() const+16>: movzx eax,BYTE PTR [rax+0x13] 0x5555556323f2 <PoDoFo::PdfVariant::DelayedLoad() const+20>: xor eax,0x1 0x5555556323f5 <PoDoFo::PdfVariant::DelayedLoad() const+23>: test al,al 0x5555556323f7 <PoDoFo::PdfVariant::DelayedLoad() const+25>: je 0x555555632418 <PoDoFo::PdfVariant::DelayedLoad() const+58> 0x5555556323f9 <PoDoFo::PdfVariant::DelayedLoad() const+27>: mov rax,QWORD PTR [rbp-0x8] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd990 --> 0x7fffffffd9d0 --> 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>: push rbp) 0008| 0x7fffffffd998 --> 0x0 0016| 0x7fffffffd9a0 --> 0x7fffffffd9e0 --> 0x7fffffffdac0 --> 0x7fffffffdce0 --> 0x7fffffffdf50 --> 0x55555570a640 (<__libc_csu_init>: push r15) 0024| 0x7fffffffd9a8 --> 0x55555563246c (<PoDoFo::PdfVariant::GetNumber() const+42>: mov rax,QWORD PTR [rbp-0x28]) 0032| 0x7fffffffd9b0 --> 0x7fffffffda70 --> 0x555555783340 --> 0x55555564034a (<PoDoFo::PdfName::~PdfName()>: push rbp) 0040| 0x7fffffffd9b8 --> 0x0 0048| 0x7fffffffd9c0 --> 0x555555711594 --> 0x5700746867696548 (‘Height’) 0056| 0x7fffffffd9c8 --> 0x22cb786a44b6d00 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00005555556323ee in PoDoFo::PdfVariant::DelayedLoad (this=0x0) at /home/tim/podofo-0.9.6/src/base/PdfVariant.h:553 553 if( !m_bDelayedLoadDone) gdb-peda$ bt #0 0x00005555556323ee in PoDoFo::PdfVariant::DelayedLoad (this=0x0) at /home/tim/podofo-0.9.6/src/base/PdfVariant.h:553 #1 0x000055555563246c in PoDoFo::PdfVariant::GetNumber (this=0x0) at /home/tim/podofo-0.9.6/src/base/PdfVariant.h:645 #2 0x000055555563179e in ImageExtractor::ExtractImage (this=0x7fffffffdd20, pObject=0x5555557b15a0, bJpeg=0x0) at /home/tim/podofo-0.9.6/tools/podofoimgextract/ImageExtractor.cpp:124 #3 0x000055555563146c in ImageExtractor::Init (this=0x7fffffffdd20, pszInput=0x7fffffffe3bc "crashes/123-compressed_1507.pdf-signalb-0x96", pszOutput=0x7fffffffe3e9 "out", pnNum=0x7fffffffdd04) at /home/tim/podofo-0.9.6/tools/podofoimgextract/ImageExtractor.cpp:81 #4 0x0000555555632b56 in main (argc=0x3, argv=0x7fffffffe038) at /home/tim/podofo-0.9.6/tools/podofoimgextract/podofoimgextract.cpp:54 #5 0x00007ffff755db6b in __libc_start_main (main=0x555555632ab5 <main(int, char**)>, argc=0x3, argv=0x7fffffffe038, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe028) at …/csu/libc-start.c:308 #6 0x0000555555630eea in _start () gdb-peda$ p m_bDelayedLoadDone Cannot access memory at address 0x13 gdb-peda$ p &m_bDelayedLoadDone $1 = (bool *) 0x13 gdb-peda$

run ./podofoimgextract $poc out

1 Attachments

Discussion

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE