PoDoFo Double-Free Vulnerability in OpenSSLInternal_Ripped.cpp

A double-free vulnerability has been identified in the PoDoFo library, specifically in the compute_hash_to_sign() function within OpenSSLInternal_Ripped.cpp. This vulnerability affects versions 1.0.0 prior to 1.0.4. The issue arises when EVP_DigestFinal fails after the buffer (buf) has already been freed. The error handling then frees buf a second time, leading to heap corruption. This vulnerability could potentially be exploited to execute arbitrary code when processing maliciously crafted PDF files, although such a scenario is considered unlikely.

Impact

Exploitation of this vulnerability causes heap corruption, which could lead to arbitrary code execution when handling malicious PDF files.

Reproduction

To reproduce this vulnerability, trigger an OpenSSL EVP_DigestFinal failure during PDF signing. This will cause the function to follow the error handling path, where the buffer is freed twice, creating the double-free condition.

Remediation

Users can upgrade to PoDoFo version 1.0.4 to address this vulnerability.