Headline
CVE-2022-24197: A list of bugs found by ZanderHuang · Pull Request #78 · itext/itext7
iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
Unqiue Bugs Found
Recently we ([Zhang Cen](https://github.com/occia) , [Huang Wenjie](https://github.com/ZanderHuang) and [Zhang Xiaohan](https://github.com/Han0nly)) discovered a series of bugs in latest itextpdf (version 7.1.17). Every bug we reported in the following is unique and reproducable. Furthermore, they have been manually analyzed and triaged in removing the duplicates.
Due to the lack of contextual knowledge in the itextpdf library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs.
Bug Report
The bug report folder can be downloaded from https://drive.google.com/drive/folders/1b38Mi8fKp05vzMbth1oiopFYNH92GWrK?usp=sharing
Total 56 bugs are reported in this pull request.
A full list is provided below.
Folder structure
- Level 1 (folder): exception type
- Level 2 (folder): error location
- Level 3 (files): POC file and report.txt including reproducing steps
report.txt content:
- Exception type
- Error location
- Bug cause and impact
- Crash thread’s stacks
- Steps to reproduce
Bug full list
- java.lang.ArrayIndexOutOfBoundsException
– com.itextpdf.kernel.crypto.ARCFOUREncryption.encryptARCFOUR–ARCFOUREncryption.java-93
– com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard128.computeOwnerKey–StandardHandlerUsingStandard128.java-81
– com.itextpdf.kernel.pdf.PdfXrefTable.clear–PdfXrefTable.java-448
– com.itextpdf.kernel.pdf.PdfXrefTable.get–PdfXrefTable.java-153
– com.itextpdf.kernel.pdf.PdfXrefTable.initFreeReferencesList–PdfXrefTable.java-185 - java.lang.ClassCastException
– com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary–StandardHandlerUsingStandard40.java-193
– com.itextpdf.kernel.pdf.PdfDocument.open–PdfDocument.java-1958
– com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler–PdfEncryption.java-531
– com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler–PdfEncryption.java-534
– com.itextpdf.kernel.pdf.PdfReader.readObject–PdfReader.java-1344 - java.lang.NegativeArraySizeException
– com.itextpdf.kernel.pdf.PdfXrefTable.extendXref–PdfXrefTable.java-598 - java.lang.NullPointerException
– com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary–StandardHandlerUsingStandard40.java-194
– com.itextpdf.kernel.crypto.securityhandler.StandardSecurityHandler.getIsoBytes–StandardSecurityHandler.java-94
– com.itextpdf.kernel.pdf.PdfArray.get–PdfArray.java-374
– com.itextpdf.kernel.pdf.PdfObjectWrapper.markObjectAsIndirect–PdfObjectWrapper.java-141
– com.itextpdf.kernel.pdf.PdfReader.getOriginalFileId–PdfReader.java-669
– com.itextpdf.kernel.pdf.PdfReader.readDecryptObj–PdfReader.java-1287
– com.itextpdf.kernel.pdf.PdfReader.readObject–PdfReader.java-1344
– com.itextpdf.kernel.pdf.PdfReader.readObjectStream–PdfReader.java-738
– com.itextpdf.kernel.pdf.PdfReader.readObjectStream–PdfReader.java-739
– com.itextpdf.kernel.pdf.PdfReader.readObjectStream–PdfReader.java-740
– com.itextpdf.kernel.pdf.PdfReader.readObjectStream–PdfReader.java-773
– com.itextpdf.kernel.pdf.PdfReader.readObjectStream–PdfReader.java-792 - java.lang.NumberFormatException
– com.itextpdf.io.source.PdfTokenizer.getIntValue–PdfTokenizer.java-512
– com.itextpdf.io.source.PdfTokenizer.nextValidToken–PdfTokenizer.java-314
– com.itextpdf.io.source.PdfTokenizer.nextValidToken–PdfTokenizer.java-315 - java.lang.OutOfMemoryError
– com.itextpdf.kernel.pdf.PdfReader.readStreamBytesRaw–PdfReader.java-391
– com.itextpdf.kernel.pdf.PdfXrefTable.extendXref–PdfXrefTable.java-598 - java.lang.StackOverflowError
– com.itextpdf.io.source.ByteBuffer.append–ByteBuffer.java-110
– com.itextpdf.io.source.PdfTokenizer.getStringValue–PdfTokenizer.java-187
– com.itextpdf.io.source.PdfTokenizer.nextToken–PdfTokenizer.java-341
– com.itextpdf.io.source.PdfTokenizer.nextToken–PdfTokenizer.java-343
– com.itextpdf.io.source.PdfTokenizer.nextToken–PdfTokenizer.java-361
– com.itextpdf.io.source.PdfTokenizer.nextToken–PdfTokenizer.java-377
– com.itextpdf.io.source.PdfTokenizer.nextToken–PdfTokenizer.java-413
– com.itextpdf.io.source.PdfTokenizer.nextToken–PdfTokenizer.java-452
– com.itextpdf.io.source.PdfTokenizer.nextToken–PdfTokenizer.java-469
– com.itextpdf.io.source.PdfTokenizer.nextValidToken–PdfTokenizer.java-271
– com.itextpdf.io.source.PdfTokenizer.nextValidToken–PdfTokenizer.java-300
– com.itextpdf.io.source.PdfTokenizer.nextValidToken–PdfTokenizer.java-306
– com.itextpdf.io.source.PdfTokenizer.nextValidToken–PdfTokenizer.java-314
– com.itextpdf.io.source.RandomAccessFileOrArray.read–RandomAccessFileOrArray.java-138
– com.itextpdf.io.util.MessageFormatUtil.format–MessageFormatUtil.java-55
– com.itextpdf.kernel.pdf.PdfDictionary.putAll–PdfDictionary.java-333
– com.itextpdf.kernel.pdf.PdfName.compareTo–PdfName.java-1003
– com.itextpdf.kernel.pdf.PdfNumber.generateValue–PdfNumber.java-180
– com.itextpdf.kernel.pdf.PdfReader.readArray–PdfReader.java-944
– com.itextpdf.kernel.pdf.PdfReader.readDictionary–PdfReader.java-923
– com.itextpdf.kernel.pdf.PdfReader.readObject–PdfReader.java-1336
– com.itextpdf.kernel.pdf.PdfReader.readObject–PdfReader.java-1344
– com.itextpdf.kernel.pdf.PdfReader.readObject–PdfReader.java-801
– com.itextpdf.kernel.pdf.PdfReader.readObject–PdfReader.java-845
– com.itextpdf.kernel.pdf.PdfReader.readPdfName–PdfReader.java-912
– com.itextpdf.kernel.pdf.PdfReader.readReference–PdfReader.java-817
– com.itextpdf.kernel.pdf.PdfReader.readReference–PdfReader.java-834 - java.lang.StringIndexOutOfBoundsException
– com.itextpdf.io.source.PdfTokenizer.checkPdfHeader–PdfTokenizer.java-239
Any further discussion for these vulnerabilities including fix is welcomed and look forward to hearing from you.