<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Segfault in SignalHandler::initHashContext() if signature in PDF is broken"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=99363">99363</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Segfault in SignalHandler::initHashContext() if signature in PDF is broken
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>sebras@hotmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>I encountered a SIGSEGV when running pdfsig on a PDF with a broken signature.

First I compiled poppler from git HEAD (currently c301f6c6)
Next I got <a href="http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf">http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf</a>
and edited the signature part of the pdf to make it invalid (changing offset
0x376d2 from 0x61 to 0x62), see the attachment.

Next I ran pdfsig like so for the original document:
$ ./pdfsig ./SampleSignedPDFDocument.pdf
Digital Signature Info of: SampleSignedPDFDocument.pdf
Signature #1:
  - Signer Certificate Common Name: John B Harris
  - Signing Time: Jul 16 2009 16:47:47
  - Signature Validation: Signature is Valid.
  - Certificate Validation: Certificate has Expired

When I do the same for the edited document though, I see:
$ ./pdfsig ./SampleSignedPDFDocument-broken-signature.pdf
Digital Signature Info of: ./SampleSignedPDFDocument-broken-signature.pdf
Internal Error (0): Input couldn't be parsed as a CMS signature
Error in NSS_CMSSignedData_GetSignerInfo()
Segmentation fault

Rerunning in valgrind gives:
[...]
Digital Signature Info of: /./SampleSignedPDFDocument-broken-signature.pdf
Internal Error (0): Input couldn't be parsed as a CMS signature
Error in NSS_CMSSignedData_GetSignerInfo()
==26588== Invalid read of size 8
==26588==    at 0x4F04A92: SignatureHandler::initHashContext()
(SignatureHandler.cc:125)
==26588==    by 0x4F04DDD: SignatureHandler::SignatureHandler(unsigned char*,
int) (SignatureHandler.cc:119)
==26588==    by 0x4F2F98D: FormFieldSignature::validateSignature(bool, bool)
(Form.cc:1529)
==26588==    by 0x10956F: main (pdfsig.cc:157)
==26588==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==26588== 
==26588== 
==26588== Process terminating with default action of signal 11 (SIGSEGV)
==26588==  Access not within mapped region at address 0x0
==26588==    at 0x4F04A92: SignatureHandler::initHashContext()
(SignatureHandler.cc:125)
==26588==    by 0x4F04DDD: SignatureHandler::SignatureHandler(unsigned char*,
int) (SignatureHandler.cc:119)
==26588==    by 0x4F2F98D: FormFieldSignature::validateSignature(bool, bool)
(Form.cc:1529)
==26588==    by 0x10956F: main (pdfsig.cc:157)
[...]
Segmentation fault

So the problem here is that when FormFieldSignature::validateSignature()
creates a SignatureHandler its constructor will call CMS_SignedDataCreate()
which may fail if the signature is broken. When this happens
CMS_SignedDataCreate() returns NULL, but the constructor doesn't check for
this. Adding a check here is not enough though, because ::initHashContext()
also depends on CMSSignedData, so this call must also be included in the check.

Now because the constructor doesn't fail
FormFieldSignature::validateSignature()
will continue to run code, eventually passing signature_handler to 
::hashSignedDataBlock() which will call SignalHandler::updateHash() which will
depends on  being set, but I argued above that we cannot initalize this. So
another check is needed in SignalHandler::updateHash() and the hash_context
should be initalized to NULL in the SignalHandler constructor.

The attached patch attempts to rectify this situation, and re-running pdfsig
on the broken PDF no longer produces any errors.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>