I encountered a SIGSEGV when running pdfsig on a PDF with a broken signature. First I compiled poppler from git HEAD (currently c301f6c6) Next I got http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf and edited the signature part of the pdf to make it invalid (changing offset 0x376d2 from 0x61 to 0x62), see the attachment. Next I ran pdfsig like so for the original document: $ ./pdfsig ./SampleSignedPDFDocument.pdf Digital Signature Info of: SampleSignedPDFDocument.pdf Signature #1: - Signer Certificate Common Name: John B Harris - Signing Time: Jul 16 2009 16:47:47 - Signature Validation: Signature is Valid. - Certificate Validation: Certificate has Expired When I do the same for the edited document though, I see: $ ./pdfsig ./SampleSignedPDFDocument-broken-signature.pdf Digital Signature Info of: ./SampleSignedPDFDocument-broken-signature.pdf Internal Error (0): Input couldn't be parsed as a CMS signature Error in NSS_CMSSignedData_GetSignerInfo() Segmentation fault Rerunning in valgrind gives: [...] Digital Signature Info of: /./SampleSignedPDFDocument-broken-signature.pdf Internal Error (0): Input couldn't be parsed as a CMS signature Error in NSS_CMSSignedData_GetSignerInfo() ==26588== Invalid read of size 8 ==26588== at 0x4F04A92: SignatureHandler::initHashContext() (SignatureHandler.cc:125) ==26588== by 0x4F04DDD: SignatureHandler::SignatureHandler(unsigned char*, int) (SignatureHandler.cc:119) ==26588== by 0x4F2F98D: FormFieldSignature::validateSignature(bool, bool) (Form.cc:1529) ==26588== by 0x10956F: main (pdfsig.cc:157) ==26588== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==26588== ==26588== ==26588== Process terminating with default action of signal 11 (SIGSEGV) ==26588== Access not within mapped region at address 0x0 ==26588== at 0x4F04A92: SignatureHandler::initHashContext() (SignatureHandler.cc:125) ==26588== by 0x4F04DDD: SignatureHandler::SignatureHandler(unsigned char*, int) (SignatureHandler.cc:119) ==26588== by 0x4F2F98D: FormFieldSignature::validateSignature(bool, bool) (Form.cc:1529) ==26588== by 0x10956F: main (pdfsig.cc:157) [...] Segmentation fault So the problem here is that when FormFieldSignature::validateSignature() creates a SignatureHandler its constructor will call CMS_SignedDataCreate() which may fail if the signature is broken. When this happens CMS_SignedDataCreate() returns NULL, but the constructor doesn't check for this. Adding a check here is not enough though, because ::initHashContext() also depends on CMSSignedData, so this call must also be included in the check. Now because the constructor doesn't fail FormFieldSignature::validateSignature() will continue to run code, eventually passing signature_handler to ::hashSignedDataBlock() which will call SignalHandler::updateHash() which will depends on being set, but I argued above that we cannot initalize this. So another check is needed in SignalHandler::updateHash() and the hash_context should be initalized to NULL in the SignalHandler constructor. The attached patch attempts to rectify this situation, and re-running pdfsig on the broken PDF no longer produces any errors.
Created attachment 128892 [details] Original, unedited PDF. Original, unedited PDF from http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
Created attachment 128893 [details] PDF with signature broken This edited PDF with the signature broken causes the segfault.
Created attachment 128894 [details] [review] Proposed patch. Proposed fix for the segmentation fault.
Adding Andre as he appear to be the one developing the certificate related code.
Pushed
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.