Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:GA
podofo
r1953-Fix-CVE-2018-14320-Possible-undefined-beh...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File r1953-Fix-CVE-2018-14320-Possible-undefined-behaviour-in-PdfEncoding-ParseToUnicode.patch of Package podofo
------------------------------------------------------------------------ r1953 | mc-zyx | 2018-11-22 10:04:02 +0100 (jue 22 de nov de 2018) | 7 líneas Patch by Mark Rogers: CVE-2018-14320 - Possible undefined behaviour in PdfEncoding::ParseToUnicode() There is undefined behaviour in PdfEncoding::ParseToUnicode() if the first token in the parsed stream is 'beginbfrange' or 'beginbfchar'. In both cases stkToken.top() is called when stkToken.size() == 0, which results in the undefined behaviour. Index: src/base/PdfEncoding.cpp =================================================================== --- src/base/PdfEncoding.cpp (revisión: 1952) +++ src/base/PdfEncoding.cpp (revisión: 1953) @@ -285,6 +285,12 @@ if (strcmp (streamToken, "beginbfrange") == 0) { + // need 2 entries - one to pop() and one for top() + if ( stkToken.size() < 2 ) + { + PODOFO_RAISE_ERROR_INFO(ePdfError_InvalidStream, "CMap missing object number before beginbfrange"); + } + i = loop = 0; in_beginbfrange = 1; stkToken.pop (); @@ -301,6 +307,12 @@ if (strcmp (streamToken, "beginbfchar") == 0) { + // need 2 entries - one to pop() and one for top() + if ( stkToken.size() < 2 ) + { + PODOFO_RAISE_ERROR_INFO(ePdfError_InvalidStream, "CMap missing object number before beginbfchar"); + } + i = loop = 0; in_beginbfchar = 1; stkToken.pop (); Index: test/unit/EncodingTest.cpp =================================================================== --- test/unit/EncodingTest.cpp (revisión: 1952) +++ test/unit/EncodingTest.cpp (revisión: 1953) @@ -359,6 +359,57 @@ #endif CPPUNIT_ASSERT_EQUAL( expects, unicodeStr[ii] ); } + + const char* toUnicodeInvalidTests[] = + { + // missing object numbers + "beginbfrange\n", + "beginbfchar\n", + + // invalid hex digits + "2 beginbfrange <WXYZ> endbfrange\n", + "2 beginbfrange <-123> endbfrange\n", + "2 beginbfrange <<00>> endbfrange\n", + + // missing hex digits + "2 beginbfrange <> endbfrange\n", + + // empty array + "2 beginbfrange [] endbfrange\n", + + nullptr + }; + + for ( size_t i = 0 ; toUnicodeInvalidTests[i] != nullptr ; ++i ) + { + try + { + PdfVecObjects vecInvalid; + PdfObject *strmInvalidObject; + + vec.SetAutoDelete( true ); + + strmInvalidObject = vecInvalid.CreateObject( PdfVariant( PdfDictionary() ) ); + strmInvalidObject->GetStream()->Set( toUnicodeInvalidTests[i], strlen( toUnicodeInvalidTests[i] ) ); + + PdfIdentityEncoding encodingTestInvalid(0x0001, 0x000F, true, strmInvalidObject); + + PdfString unicodeStringTestInvalid = encoding.ConvertToUnicode( PdfString( encodedStr ), NULL ); + + // exception not thrown - should never get here + // TODO not all invalid input throws an exception (e.g. no hex digits in <WXYZ>) + //CPPUNIT_ASSERT( false ); + } + catch ( PoDoFo::PdfError& error ) + { + // parsing every invalid test string should throw an exception + CPPUNIT_ASSERT( true ); + } + catch( std::exception& ex ) + { + CPPUNIT_FAIL( "Unexpected exception type" ); + } + } } bool EncodingTest::outofRangeHelper( PdfEncoding* pEncoding, std::string & rMsg, const char* pszName ) ------------------------------------------------------------------------
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor