[Poppler-bugs] [Bug 94941] New: Corrupted linearization hint table causes massive memory usage and several minute delay

Thu Apr 14 23:31:23 UTC 2016

https://bugs.freedesktop.org/show_bug.cgi?id=94941

            Bug ID: 94941
           Summary: Corrupted linearization hint table causes massive
                    memory usage and several minute delay
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: jmmorlan at sonic.net

I recently encountered some PDF files that cause all poppler utilities
(pdfinfo, pdftotext, evince) to allocate a large amount of memory (usually 3GB)
and hang for several minutes. Acrobat Reader does not exhibit either problem.

The cause is corrupted linearization hint tables - the program that wrote the
.pdfs did not properly align the start of the shared objects hint table on a
byte boundary. So its header looks like:

firstSharedObjectNumber    00 00 00 00
firstSharedObjectOffset    00 00 00 00
nSharedGroupsFirst    00 00 00 01
nSharedGroups        10 00 00 01
nBitsNumObjects        10 00
groupLengthLeast    00 00 00 02
nBitsDiffGroupLength    80 01

Hints::readSharedObjectsTable allocates several giant arrays, and then spends
ages trying to populate them (without checking that it's reached the end of the
stream).

Since nBits* can't be more than 32, this hint table should just be rejected as
invalid immediately.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20160414/9404a750/attachment.html>