Soumettre #632364: podofo podofoencrypt PoDoFo version 1.1.0-dev (commit 053cf47) compiled on Jul 30 2025 and the newest master version. Heap Use-After-Freeinformation

Titrepodofo podofoencrypt PoDoFo version 1.1.0-dev (commit 053cf47) compiled on Jul 30 2025 and the newest master version. Heap Use-After-Free
Description# PoDoFo PdfName Use-After-Free in PDF Dictionary Parsing ## Summary During fuzzing of the PoDoFo PDF library's podofoencrypt tool, a critical heap-use-after-free vulnerability was discovered in the PDF dictionary parsing functionality. The vulnerability occurs in the `PdfTokenizer::ReadDictionary` function where `PdfName` objects are prematurely freed and subsequently accessed, leading to memory corruption and program crashes. This vulnerability affects the core PDF parsing engine and can be triggered by malformed PDF files with specific dictionary structures. ## Technical Details - **Vulnerability Type**: Heap Use-After-Free - **Affected Component**: PoDoFo PDF Library - PdfTokenizer - **Affected Function**: `PdfTokenizer::ReadDictionary` - **Source File**: `PdfTokenizer.cpp` - **Line Number**: 505 - **Signal**: SIGABRT (6) - **Memory Access**: READ of size 4 - **Affected Memory Range**: 24-byte regions containing PdfName::NameData ## Mechanism and Root Cause This heap-use-after-free vulnerability is caused by improper lifetime management of `PdfName` objects during PDF dictionary parsing. The root cause lies in the shared pointer reference counting mechanism for `PdfName::NameData` objects. The vulnerability manifests through the following sequence: 1. **Allocation Phase**: `PdfName` objects are created via `PdfName::FromEscaped()` at line 166 in `PdfName.cpp` 2. **Premature Deallocation**: During dictionary parsing, `PdfTokenizer::ReadDictionary()` at line 505 in `PdfTokenizer.cpp` releases the last reference to the shared `NameData` 3. **Use-After-Free Access**: The destructor `PdfName::~PdfName()` at line 33 in `PdfName.cpp` attempts to access the already freed `NameData` object 4. **Memory Corruption**: This triggers a read access to freed memory during shared pointer reference count manipulation ## AddressSanitizer Report ``` WARNING: Invalid number while parsing content ================================================================= ==3099590==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000438 at pc 0x7f0ea29af147 bp 0x7ffef7a7ac40 sp 0x7ffef7a7ac38 READ of size 4 at 0x603000000438 thread T0 #0 0x7f0ea29af146 in __gnu_cxx::__exchange_and_add_single(int*, int) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/atomicity.h:84:29 #1 0x7f0ea29af146 in __gnu_cxx::__exchange_and_add_dispatch(int*, int) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/atomicity.h:99:14 #2 0x7f0ea29af146 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:165:6 #3 0x7f0ea29af146 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:705:11 #4 0x7f0ea29af146 in std::__shared_ptr<PoDoFo::PdfName::NameData, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1154:31 #5 0x7f0ea29af146 in PoDoFo::PdfName::~PdfName() /workspace/program/podofo-053cf47-Jul30/src/podofo/main/PdfName.cpp:33:16 #6 0x7f0ea2659e20 in std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>::~pair() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_iterator.h:2488:12 #7 0x7f0ea2659e20 in void __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::destroy<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>(std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/new_allocator.h:168:10 #8 0x7f0ea2659e20 in void std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>>::destroy<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>(std::allocator<std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>&, std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/alloc_traits.h:535:8 #9 0x7f0ea2659e20 in std::_Rb_tree<PoDoFo::PdfName, std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>, std::_Select1st<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>, PoDoFo::PdfNameInequality, std::allocator<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::_M_destroy_node(std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:623:2 #10 0x7f0ea2659e20 in std::_Rb_tree<PoDoFo::PdfName, std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>, std::_Select1st<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>, PoDoFo::PdfNameInequality, std::allocator<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::_M_drop_node(std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:631:2 #11 0x7f0ea2659e20 in std::_Rb_tree<PoDoFo::PdfName, std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>, std::_Select1st<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>, PoDoFo::PdfNameInequality, std::allocator<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::_M_erase(std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:1891:4 #12 0x7f0ea2659def in std::_Rb_tree<PoDoFo::PdfName, std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>, std::_Select1st<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>, PoDoFo::PdfNameInequality, std::allocator<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::_M_erase(std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:1891:4 #13 0x7f0ea2659def in std::_Rb_tree<PoDoFo::PdfName, std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>, std::_Select1st<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>, PoDoFo::PdfNameInequality, std::allocator<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::_M_erase(std::_Rb_tree_node<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:1891:4 #14 0x7f0ea2b4fdc0 in std::_Rb_tree<PoDoFo::PdfName, std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>, std::_Select1st<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>, PoDoFo::PdfNameInequality, std::allocator<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::~_Rb_tree() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_tree.h:984:9 #15 0x7f0ea2b4fdc0 in std::map<PoDoFo::PdfName, PoDoFo::PdfObject, PoDoFo::PdfNameInequality, std::allocator<std::pair<PoDoFo::PdfName const, PoDoFo::PdfObject>>>::~map() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_map.h:302:22 #16 0x7f0ea2b4fdc0 in PoDoFo::PdfDictionary::~PdfDictionary() /workspace/program/podofo-053cf47-Jul30/src/podofo/main/PdfDictionary.h:81:18 #17 0x7f0ea2b4fdc0 in PoDoFo::PdfVariant::~PdfVariant() /workspace/program/podofo-053cf47-Jul30/src/podofo/main/PdfVariant.cpp:94:13 #18 0x7f0ea2c52d0d in PoDoFo::PdfParser::ReadXRefStreamContents(PoDoFo::InputStreamDevice&, unsigned long, bool) /workspace/program/podofo-053cf47-Jul30/src/podofo/private/PdfParser.cpp:528:9 #19 0x7f0ea2c4e19d in PoDoFo::PdfParser::ReadXRefContents(PoDoFo::InputStreamDevice&, unsigned long, bool) /workspace/program/podofo-053cf47-Jul30/src/podofo/private/PdfParser.cpp:351:9 #20 0x7f0ea2c45d1d in PoDoFo::PdfParser::ReadDocumentStructure(PoDoFo::InputStreamDevice&, long, bool) /workspace/program/podofo-053cf47-Jul30/src/podofo/private/PdfParser.cpp:138:9 #21 0x7f0ea2c441a4 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /workspace/program/podofo-053cf47-Jul30/src/podofo/private/PdfParser.cpp:76:9 #22 0x7f0ea2997144 in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice>&&, std::basic_string_view<char, std::char_traits<char>> const&) /workspace/program/podofo-053cf47-Jul30/src/podofo/main/PdfMemDocument.cpp:125:12 #23 0x7f0ea299a7f5 in PoDoFo::PdfMemDocument::Load(std::shared_ptr<PoDoFo::InputStreamDevice>, std::basic_string_view<char, std::char_traits<char>> const&) /workspace/program/podofo-053cf47-Jul30/src/podofo/main/PdfMemDocument.cpp:114:5 #24 0x7f0ea2999b36 in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char>> const&, std::basic_string_view<char, std::char_traits<char>> const&) /workspace/program/podofo-053cf47-Jul30/src/podofo/main/PdfMemDocument.cpp:96:5 #25 0x5575712973cf in encrypt(std::basic_string_view<char, std::char_traits<char>> const&, std::basic_string_view<char, std::char_traits<char>> const&, std::basic_string_view<char, std::char_traits<char>> const&, std::basic_string_view<char, std::char_traits<char>> const&, PoDoFo::PdfEncryptionAlgorithm, PoDoFo::PdfPermissions) /workspace/program/podofo-053cf47-Jul30/tools/podofoencrypt/podofoencrypt.cpp:19:9 #26 0x557571298c80 in Main(tcb::span<std::basic_string_view<char, std::char_traits<char>> const, 18446744073709551615ul> const&) /workspace/program/podofo-053cf47-Jul30/tools/podofoencrypt/podofoencrypt.cpp:194:5 #27 0x5575712997c5 in main /workspace/program/podofo-053cf47-Jul30/tools/private/MainEntryPoint.cpp:34:9 #28 0x7f0ea15dad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #29 0x7f0ea15dae3f in __libc_start_main csu/../csu/libc-start.c:392:3 #30 0x5575711c0534 in _start (/workspace/fuzzdir/fz-podofo/fz-podofoencrypt/podofoencrypt+0x21534) (BuildId: 199c644fed58464afa945df05fe57a4a79121f2b) 0x603000000438 is located 8 bytes inside of 24-byte region [0x603000000430,0x603000000448) freed by thread T0 here: #0 0x557
La source⚠️ https://github.com/podofo/podofo/issues/275
Utilisateur
 xdcao (UID 88377)
Soumission12/08/2025 09:27 (il y a 9 mois)
Modérer23/08/2025 17:43 (11 days later)
StatutAccepté
Entrée VulDB321227 [PoDoFo 1.1.0-dev PDF Dictionary Parser PdfTokenizer.cpp DetermineDataType buffer overflow]
Points20

PrécédentAperçuSuivant

Might our Artificial Intelligence support you?

Check our Alexa App!