Bug 99363

Summary: Segfault in SignalHandler::initHashContext() if signature in PDF is broken
Product: poppler Reporter: Sebastian Rasmussen <sebras>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: aguerreiro1985, sebras
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Original, unedited PDF.
PDF with signature broken
Proposed patch.

Description Sebastian Rasmussen 2017-01-11 16:53:42 UTC
I encountered a SIGSEGV when running pdfsig on a PDF with a broken signature.

First I compiled poppler from git HEAD (currently c301f6c6)
Next I got http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
and edited the signature part of the pdf to make it invalid (changing offset 0x376d2 from 0x61 to 0x62), see the attachment.

Next I ran pdfsig like so for the original document:
$ ./pdfsig ./SampleSignedPDFDocument.pdf
Digital Signature Info of: SampleSignedPDFDocument.pdf
Signature #1:
  - Signer Certificate Common Name: John B Harris
  - Signing Time: Jul 16 2009 16:47:47
  - Signature Validation: Signature is Valid.
  - Certificate Validation: Certificate has Expired

When I do the same for the edited document though, I see:
$ ./pdfsig ./SampleSignedPDFDocument-broken-signature.pdf
Digital Signature Info of: ./SampleSignedPDFDocument-broken-signature.pdf
Internal Error (0): Input couldn't be parsed as a CMS signature
Error in NSS_CMSSignedData_GetSignerInfo()
Segmentation fault

Rerunning in valgrind gives:
[...]
Digital Signature Info of: /./SampleSignedPDFDocument-broken-signature.pdf
Internal Error (0): Input couldn't be parsed as a CMS signature
Error in NSS_CMSSignedData_GetSignerInfo()
==26588== Invalid read of size 8
==26588==    at 0x4F04A92: SignatureHandler::initHashContext() (SignatureHandler.cc:125)
==26588==    by 0x4F04DDD: SignatureHandler::SignatureHandler(unsigned char*, int) (SignatureHandler.cc:119)
==26588==    by 0x4F2F98D: FormFieldSignature::validateSignature(bool, bool) (Form.cc:1529)
==26588==    by 0x10956F: main (pdfsig.cc:157)
==26588==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==26588== 
==26588== 
==26588== Process terminating with default action of signal 11 (SIGSEGV)
==26588==  Access not within mapped region at address 0x0
==26588==    at 0x4F04A92: SignatureHandler::initHashContext() (SignatureHandler.cc:125)
==26588==    by 0x4F04DDD: SignatureHandler::SignatureHandler(unsigned char*, int) (SignatureHandler.cc:119)
==26588==    by 0x4F2F98D: FormFieldSignature::validateSignature(bool, bool) (Form.cc:1529)
==26588==    by 0x10956F: main (pdfsig.cc:157)
[...]
Segmentation fault

So the problem here is that when FormFieldSignature::validateSignature()
creates a SignatureHandler its constructor will call CMS_SignedDataCreate()
which may fail if the signature is broken. When this happens
CMS_SignedDataCreate() returns NULL, but the constructor doesn't check for
this. Adding a check here is not enough though, because ::initHashContext()
also depends on CMSSignedData, so this call must also be included in the check.

Now because the constructor doesn't fail FormFieldSignature::validateSignature()
will continue to run code, eventually passing signature_handler to 
::hashSignedDataBlock() which will call SignalHandler::updateHash() which will
depends on  being set, but I argued above that we cannot initalize this. So
another check is needed in SignalHandler::updateHash() and the hash_context
should be initalized to NULL in the SignalHandler constructor.

The attached patch attempts to rectify this situation, and re-running pdfsig
on the broken PDF no longer produces any errors.
Comment 1 Sebastian Rasmussen 2017-01-11 16:54:35 UTC
Created attachment 128892 [details]
Original, unedited PDF.

Original, unedited PDF from http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
Comment 2 Sebastian Rasmussen 2017-01-11 16:55:08 UTC
Created attachment 128893 [details]
PDF with signature broken

This edited PDF with the signature broken causes the segfault.
Comment 3 Sebastian Rasmussen 2017-01-11 16:57:22 UTC
Created attachment 128894 [details] [review]
Proposed patch.

Proposed fix for the segmentation fault.
Comment 4 Sebastian Rasmussen 2017-01-11 18:34:17 UTC
Adding Andre as he appear to be the one developing the certificate related code.
Comment 5 Albert Astals Cid 2017-01-11 22:38:32 UTC
Pushed

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.