Bugzilla – Bug 1029856
VUL-0: CVE-2017-6846: podofo: A NULL pointer dereference could lead to denial of service
Last modified: 2018-10-11 08:26:41 UTC
The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in
graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of
service (NULL pointer dereference) via a crafted file.
Antonio - Can you look into this. Thanks.
Created attachment 774210 [details]
The version from SLE12 is affected by this issue, which hasn't been fixed by upstream yet.
./podofocolor dummy ~/Downloads/00173-podofo-nullptr-GraphicsStack-TGraphicsStackElement-SetNonStrokingColorSpace foo
<</DocChecksum/DB32E66F6F34BF1E8F2E9B7E403215D4/ID[<4E9B7DEC390D4421658ED31A3E6687B5><4E9B7DEC390D4421658ED31A3E6687B5>]/Info 13 0 R/Root 12 0 R/Size 14>>
Processing page 1...
Reading object 3 0 R with type: Number
Error: An error 8 ocurred during processing the pdf file
PoDoFo encounter an error. Error: 8 ePdfError_InternalLogic
Error Description: An internal error occurred.
#0 Error Source: /home/antonio/ibs/home/alarrosa/branches/SUSE/SLE-12/Update3/podofo/podofo-0.9.2/tools/podofocolor/graphicsstack.cpp:53
Information: Can get current graphicsstate!
My fault. This wasn't actually reproducible in SLE12. The error in #c3 is a regular error being catched correctly, not a NULL dereference as should be expected. I checked also with valgrind which doesn't report any error at all (apart from 8 bytes lost in 1 block and 312 bytes in 6 blocks still reachable).
thanks, adjusted our tracking