[Poppler-bugs] [Bug 28172] New: poppler: xref / XRefStm infinite loop and stack memory exhaustion
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed May 19 02:49:17 PDT 2010
https://bugs.freedesktop.org/show_bug.cgi?id=28172
Summary: poppler: xref / XRefStm infinite loop and stack memory
exhaustion
Product: poppler
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: general
AssignedTo: poppler-bugs at lists.freedesktop.org
ReportedBy: thoger at redhat.com
Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to
crash. It triggers an infinite loop in xref table parsing.
XRef::readXRef is used to read xref table. It calls XRef::readXRefTable for
"old-style xref table":
http://cgit.freedesktop.org/poppler/poppler/tree/poppler/XRef.cc?id=32de2ac6#n362
readXRefTable reads the table and trailer, which may contain reference to
additional xref table - /XRefStm. It calls readXRef recursively using argument
from PDF file without further sanitization:
http://cgit.freedesktop.org/poppler/poppler/tree/poppler/XRef.cc?id=32de2ac6#n509
If this refers to the same xref table that was just parsed, it causes poppler
to call readXRef and readXRefTable recursively until all stack memory is
exhausted and process is killed.
Possible fix may be to ignore /XRefStm back-references, if PDF spec allows
that.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list