PoDoFo PDF Library Heap Use-After-Free Vulnerability in Dictionary Parsing Component

A heap use-after-free vulnerability has been identified in the PoDoFo PDF library version 1.1.0-dev. This issue arises in the PDF Dictionary Parser component, specifically within the PdfTokenizer::DetermineDataType function of PdfTokenizer.cpp. The vulnerability can be triggered by malformed PDF files with certain dictionary structures, leading to memory corruption and program crashes. The vulnerability is caused by improper management of PdfName objects during parsing, where these objects are prematurely freed and then accessed again, creating a critical memory management flaw. Additionally, this vulnerability can be exploited through deep recursion, where excessively nested dictionary structures cause stack exhaustion that interacts with heap memory management, further complicating the vulnerability's impact.

Impact

Exploitation of this vulnerability leads to a heap use-after-free condition, where memory that has been freed is accessed again, causing memory corruption. This type of vulnerability can often be exploited to execute arbitrary code or cause a program to crash.

Reproduction

The vulnerability can be reproduced by compiling the PoDoFo library with AddressSanitizer enabled, and then using the 'podofoencrypt' tool to process a crafted PDF file that exploits the use-after-free condition. This file should contain specific XRef stream dictionary structures that trigger the vulnerability during parsing. After processing the file, the 'podofoencrypt' program will crash, demonstrating the use-after-free error.

Remediation

Users are advised to update to the latest version of the PoDoFo library, where this vulnerability has been fixed. The patch is available in the official PoDoFo GitHub repository.