Bug 1027781 - VUL-1: podofo: NULL pointer dereference in PoDoFo::PdfColor::operator= (PdfColor.cpp)
VUL-1: podofo: NULL pointer dereference in PoDoFo::PdfColor::operator= (PdfCo...
Status: RESOLVED DUPLICATE of bug 1027779
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: P Linnell
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-02 22:34 UTC by Mikhail Kasimov
Modified: 2019-03-24 15:57 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-03-02 22:34:41 UTC
Ref: http://seclists.org/oss-sec/2017/q1/545
============================================
Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a null pointer dereference. The upstream project denies me to open a new ticket. So, I just 
will forward this on the -users mailing list.

The complete ASan output:

# podofocolor dummy $FILE foo
==9554==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004ca47d bp 0x7fff58eb6bb0 sp 
0x7fff58eb6330 T0)
==9554==The signal is caused by a READ memory access.
==9554==Hint: address points to the zero page.
    #0 0x4ca47c in AddressIsPoisoned 
/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_mapping.h:321
    #1 0x4ca47c in QuickCheckForUnpoisonedRegion 
/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:43
    #2 0x4ca47c in __asan_memcpy 
/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #3 0x7f5fc924b58d in PoDoFo::PdfColor::operator=(PoDoFo::PdfColor const&) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfColor.cpp:575:9
    #4 0x52d31f in GraphicsStack::TGraphicsStackElement::operator=(GraphicsStack::TGraphicsStackElement const&) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/graphicsstack.h:46:29
    #5 0x52d31f in GraphicsStack::TGraphicsStackElement::TGraphicsStackElement(GraphicsStack::TGraphicsStackElement 
const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/graphicsstack.h:41
    #6 0x52c46a in GraphicsStack::Push() 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/graphicsstack.cpp:40:27
    #7 0x522005 in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:187:35
    #8 0x51ed8e in ColorChanger::start() 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:120:15
    #9 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
    #10 0x7f5fc7d3261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #11 0x428718 in _start (/usr/bin/podofocolor+0x428718)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_mapping.h:321 in 
AddressIsPoisoned
==9554==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00172-podofo-nullptr-PoDoFo-PdfColor-operator

Timeline:
2017-02-13: bug discovered
2017-03-02: bug reported to upstream
2017-03-02: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp
============================================

https://software.opensuse.org/package/podofo

TW: 0.9.4
42.{1,2}: 0.9.3
Comment 1 Swamp Workflow Management 2017-03-02 23:02:01 UTC
bugbot adjusting priority
Comment 2 Alexandros Toptsoglou 2019-02-28 14:20:21 UTC
Closing

*** This bug has been marked as a duplicate of bug 1027779 ***