Integer Overflow / Wraparound in _pdfioValueRead

[k00l-beanz]

Describe the bug Hallo :wave:. I have found an integer wraparound bug in pdfio-value.c; _pdfioValueRead; line 388. If v->value.binary.datalen < ivlen, the arithmetic operation will cause the len parameter passed to _pdfioCryptoAESDecrypt to overflow/underflow as size_t is typically and unsigned integer https://en.wikipedia.org/wiki/C_data_types#stddef.h.

There are a few ways to prevent this but the simplest way would be to check if v->value.binary.datalen >= ivlen (granted, I've never been a software engineer so take this with a grain of salt).

To Reproduce The following pdf triggers the bug - bad.pdf

$ sha256sum bad.pdf
983fcdb12d77599bc0632906d5b3303e9ccacb055099c5d58fe2e4da8fe0643d  bad.pdf
$ ./pdfiototext ./bad.pdf 
Segmentation fault (core dumped)

Expected behavior pdfiototext should be able to gracefully exit if this occurs.

System Information:

• OS / Architecture

  $ cat /etc/os-release 
  PRETTY_NAME="Ubuntu 22.04.3 LTS"
  NAME="Ubuntu"
  VERSION_ID="22.04"
  VERSION="22.04.3 LTS (Jammy Jellyfish)"
  VERSION_CODENAME=jammy
  ID=ubuntu
  ID_LIKE=debian
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  UBUNTU_CODENAME=jammy
  $ uname -a
  Linux user-VirtualBox 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Additional context Cheers mate :wine_glass:

[k00l-beanz]

Follow up: In pdfio-aes.c; when _pdfioCryptoAESDecrypt is called by _pdfioValueRead, if inbuffer != outbuffer, then a memcpy will execute leading to a heap overflow.

~ k00l_beanz