CVE-2019-9199: Null pointer Dereference vulnerability in setSource() – podofo 0.9.6-trunk r1967

Null pointer Dereference vulnerability in setSource() – podofo 0.9.6-trunk r1967


26 February, 2019

CVE Number



CWE-476: NULL Pointer Dereference

Product Details

PoDoFo is a library to work with the PDF file format.

Vulnerable Versions

0.9.6-trunk r1952

Vulnerability Details

During our research on the podofo, a NULL pointer dereference vulnerability is discovered in the pdofo (0.9.6 – Trunk r1967). The same be triggered by sending a crafted pdf file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.


In progress

vulnerable Source code
if ( pcount > 0 )  
                               PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); 
                                    sourceWidth =  rect.GetWidth() - rect.GetLeft(); 
                                   sourceHeight =  rect.GetHeight() - rect.GetBottom() ;                  } 


DEBUG in linux: 
GDB : 
151                                 PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); 
    152                                 // keep in mind it’s just a hint since PDF can have different page sizes in a same doc 
    153                                 sourceWidth =  rect.GetWidth() - rect.GetLeft(); 
    154                                 sourceHeight =  rect.GetHeight() - rect.GetBottom() ; 
    155                         } 
    156                 } 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[#0] Id 1, Name: "podofoimpose", stopped, reason: SIGSEGV 
[#0] 0x811c4e6 → PoDoFo::Impose::PdfTranslator::setSource(this=0x82a9f00, source="/home/loginsoft/ACE/sources/pruthvi/id_000000_00") 
[#1] 0x811aebe → main(argc=0x4, argv=0xbffff3b4) 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────gef➤  bt 
#0  0x0811c4e6 in PoDoFo::Impose::PdfTranslator::setSource (this=0x82a9f00, source="POC") at /podofo-code-r1966-podofo-trunk/tools/podofoimpose/pdftranslator.cpp:151 
#1  0x0811aebe in main (argc=0x4, argv=0xbffff3b4) at /podofo-code-r1966-podofo-trunk/tools/podofoimpose/podofoimpose.cpp:107 
gef➤  p/d pcount 
$1 = 11 
gef➤  p sourceDoc->GetPage ( 0 ) 
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary 
Reference to invalid object: 1 0 R 
$5 = (PoDoFo::PdfPage *) 0x0 
gef➤  p GetPage( nIndex ) 
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary 
Reference to invalid object: 1 0 R 
$2 = (PoDoFo::PdfPage *) 0x0 
gef➤  i r 
eax            0x0                 0x0 
ecx            0x0                 0x0 
edx            0x0                 0x0 
ebx            0x82aa100           0x82aa100 
esp            0xbffff130          0xbffff130 
ebp            0xbffff2c8          0xbffff2c8 
esi            0x82aa0a8           0x82aa0a8 
edi            0xb78a4000          0xb78a4000 
eip            0x811c4e6           0x811c4e6 <PoDoFo::Impose::PdfTranslator::setSource(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&)+1314> 
eflags         0x210286            [ PF SF IF RF ID ] 
cs             0x73                0x73 
ss             0x7b                0x7b 
ds             0x7b                0x7b 
es             0x7b                0x7b 
fs             0x0                 0x0 
gs             0x33                0x33 
Debug in Windows 

00cffad0 010e58ce 00000004 001e2c78 001e1738 podofoimpose!main+0x161 
00cffae4 010e5767 90d90588 00f3b398 00f3b398 podofoimpose!invoke_main+0x1e 
00cffb40 010e55fd 00cffb50 010e5948 00cffb64 podofoimpose!__scrt_common_main_seh+0x157 
00cffb48 010e5948 00cffb64 74c38484 00af3000 podofoimpose!__scrt_common_main+0xd 
00cffb50 74c38484 00af3000 74c38460 9e791c38 podofoimpose!mainCRTStartup+0x8 
00cffb64 77bd41c8 00af3000 d24f9363 00000000 KERNEL32!BaseThreadInitThunk+0x24 
00cffbac 77bd4198 ffffffff 77bef326 00000000 ntdll!__RtlUserThreadStart+0x2f 
00cffbbc 00000000 00f3b398 00af3000 00000000 ntdll!_RtlUserThreadStart+0x1b 
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_podofoimpose.exe!PoDoFo::Impose::PdfTranslator::setSource 
 ExceptionCode: c0000005 (Access violation) 
FAULTING_SOURCE_FILE:  e:\podofo-code-r1966-podofo-trunk\tools\podofoimpose\pdftranslator.cpp 
FAILURE_FUNCTION_NAME:  PoDoFo::Impose::PdfTranslator::setSource 
eax=00000000 ebx=00af3000 ecx=90d909fc edx=00cff82c esi=00cff770 edi=00cff76c 
eip=00f5645e esp=00cff76c ebp=00cffa6c iopl=0         nv up ei pl zr na pe nc 
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246 
Proof of Concept

podofoimpose $POC output native


This issue can be prevented by doing a NULL check over the return value of ‘getpage’ in the function PoDoFo::PdfRect rect() of pdftranslator.cpp


Vendor Disclosure: 2019-2-25
Public Disclosure:


Discovered by ACE Team – Loginsoft