[Poppler-bugs] [Bug 101550] New: Infinite recursion at cairo-mesh-pattern-rasterizer.c:848

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=101550

            Bug ID: 101550
           Summary: Infinite recursion at
                    cairo-mesh-pattern-rasterizer.c:848
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 132125
  --> https://bugs.freedesktop.org/attachment.cgi?id=132125&action=edit
Proof of concept

Hi, 

There is an infinite recursion in pdftocairo parsing the attached PoC1.pdf. As
a result of the infinite (or very deep) recursion all the stack space is
consumed and the application crashes.

The recursion happens at, cairo-mesh-pattern-rasterizer.c:848:
844                 subc[2][i] = 0.5 * (c[0][i] + c[2][i]);
845                 subc[3][i] = 0.5 * (c[1][i] + c[3][i]);
846             }
847     
848             draw_bezier_patch (data, width, height, stride, first, subc);
849     
850             for (i = 0; i < 4; ++i) {
851                 subc[0][i] = subc[2][i];
852                 subc[1][i] = subc[3][i];

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To
reproduce the bug use:
pdftocairo -svg PoC1.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170621/dd3ebb43/attachment.html>