Oracle OIT IX SDK libvs_pdf arbitrary pointer access(CVE-2016-3579)

Description

When parsing a specially crafted PDF document, a value derived from a file is used as a memory pointer leading to a process crash.

Tested Versions

Outside In IX SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

When parsing a PDF file with an object containing a stream, missing object type specification can lead to arbitrary pointer access. In the supplied testcase, a /Type value is missing (originaly /XRef) and trailing bytes are interpreted as type. An ASCII integer value is converted into 32bit integer which is subsequently used as a pointer in a comparison operation. In case the pointer is invalid, process crash occurs.

Technical information below:

An ASCII integer value appearing after /Type element in the supplied PDF file is converted into 32 bit integer (in this case 0x41414141) which ends up being used as a source operand, in esi, in the comparison instruction against ‘XRef’ value pointed at by edi :

.text:B74E9B72 mov     esi, [eax]
.text:B74E9B74 mov     ecx, 5
.text:B74E9B79 cld
.text:B74E9B7A lea     edi, (aXref - 0B74F6998h)[ebx] ; "XRef"
.text:B74E9B80 repe cmpsb

Although the value in esi is fully controlled, it is promptly discarded after the comparison making this issue unexploitable by itself.

Timeline

• 2016-04-12 - Vendor Notification
• 2016-07-19 – Public Disclosure