[Poppler-bugs] [Bug 101551] New: Stack exhaustion in Gfx.cc

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jun 21 22:22:20 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101551

            Bug ID: 101551
           Summary: Stack exhaustion in Gfx.cc
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 132126
  --> https://bugs.freedesktop.org/attachment.cgi?id=132126&action=edit
Proof of concept

Hi, 

There is an infinite recursion in pdftocairo parsing the attached PoC2.pdf. As
a result of the infinite (or very deep) recursion all the stack space is
consumed and the application crashes.

The recursion happens when the following functions are called over and over
again in my case the backtrace had ~32k calls:

#31040 0x00000000004373cb in Gfx::drawForm (this=0x94c770, str=0x94df98,
resDict=0x0, matrix=0x7fffffffd5f0, bbox=0x94df28, transpGroup=false,
softMask=false, blendingColorSpace=0x0, isolated=false, knockout=false,
alpha=false, transferFunc=0x0, backdropColor=0x0) at Gfx.cc:4979
#31041 0x00000000004274f5 in Gfx::doTilingPatternFill (this=0x94c770,
tPat=0x94df10, stroke=false, eoFill=true, text=false) at Gfx.cc:2309
#31042 0x0000000000425ae5 in Gfx::doPatternFill (this=0x94c770, eoFill=true) at
Gfx.cc:2025
#31043 0x000000000042551e in Gfx::opEOFill (this=0x94c770, args=0x7fffffffd860,
numArgs=0) at Gfx.cc:1911
#31044 0x0000000000420708 in Gfx::execOp (this=0x94c770, cmd=0x7fffffffd850,
args=0x7fffffffd860, numArgs=0) at Gfx.cc:909
#31045 0x000000000041ff6e in Gfx::go (this=0x94c770, topLevel=true) at
Gfx.cc:767
#31046 0x000000000041fd3d in Gfx::display (this=0x94c770, obj=0x7fffffffdbb0,
topLevel=true) at Gfx.cc:729

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To
reproduce the bug use:
pdftocairo -svg PoC2.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170621/2bb9ecef/attachment.html>

More information about the Poppler-bugs mailing list