[Poppler-bugs] [Bug 102914] New: pdftohtml HtmlOutputDev::newHtmlOutlineLevel() infinite loop vulnerability
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Sep 21 02:39:21 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=102914
Bug ID: 102914
Summary: pdftohtml HtmlOutputDev::newHtmlOutlineLevel()
infinite loop vulnerability
Product: poppler
Version: unspecified
Hardware: All
OS: Linux (All)
Status: NEW
Severity: normal
Priority: medium
Component: pdftohtml
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: etovio at gmail.com
Created attachment 134396
--> https://bugs.freedesktop.org/attachment.cgi?id=134396&action=edit
POC file of the vulnerability
An infinite loop vulnerability has been found in poppler 0.59.0 pdftohtml
HtmlOutputDev::newHtmlOutlineLevel() when handling crafted PDF files, which may
lead to potential attack.
gzq at ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -h
pdftohtml version 0.59.0
Copyright 2005-2017 The Poppler Developers - http://poppler.freedesktop.org
Copyright 1999-2003 Gueorgui Ovtcharov and Rainer Dorsch
Copyright 1996-2011 Glyph & Cog, LLC
Usage: pdftohtml [options] <PDF-file> [<html-file> <xml-file>]
-f <int> : first page to convert
-l <int> : last page to convert
-q : don't print any messages or errors
-h : print usage information
-? : print usage information
-help : print usage information
--help : print usage information
-p : exchange .pdf links by .html
-c : generate complex document
-s : generate single document that includes all pages
-i : ignore images
-noframes : generate no frames
-stdout : use standard output
-zoom <fp> : zoom the pdf document (default 1.5)
-xml : output for XML post-processing
-hidden : output hidden text
-nomerge : do not merge paragraphs
-enc <string> : output text encoding name
-fmt <string> : image file format for Splash output (png or jpg)
-v : print copyright and version info
-opw <string> : owner password (for encrypted files)
-upw <string> : user password (for encrypted files)
-nodrm : override document DRM settings
-wbt <fp> : word break threshold (default 10 percent)
-fontfullname : outputs font full name
gzq at ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
Segmentation fault
gzq at ubuntu:~$ gdb -q /home/gzq/install/poppler/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler/bin/pdftohtml...done.
(gdb) r -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
Starting program: /home/gzq/install/poppler/bin/pdftohtml -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff620554e in _int_malloc (av=av at entry=0x7ffff6542b00 <main_arena>,
bytes=bytes at entry=2) at malloc.c:3386
#0 0x00007ffff620554e in _int_malloc (av=av at entry=0x7ffff6542b00 <main_arena>,
bytes=bytes at entry=2) at malloc.c:3386
#1 0x00007ffff62079e4 in __GI___libc_malloc (bytes=2) at malloc.c:2927
#2 0x00000000005fffc8 in gmalloc (checkoverflow=false, size=<optimized out>)
at gmem.cc:110
#3 gmalloc (size=<optimized out>) at gmem.cc:120
#4 copyString (s=0x16b78b9 "R") at gmem.cc:316
#5 0x000000000055b026 in Object::Object (this=<optimized out>, typeA=objCmd,
stringA=<optimized out>) at ./Object.h:157
#6 Lexer::getObj (this=<optimized out>, objNum=<optimized out>) at
Lexer.cc:573
#7 0x000000000057bbc6 in Parser::shift (this=<optimized out>, objNum=-1) at
Parser.cc:291
#8 0x000000000057a578 in Parser::getObj (this=0x16bbad0, simpleOnly=<optimized
out>, fileKey=<optimized out>, encAlgorithm=<optimized out>,
keyLength=<optimized out>, objNum=7, objGen=<optimized out>, recursion=1,
strict=<optimized out>) at Parser.cc:149
#9 0x000000000057ab52 in Parser::getObj (this=<optimized out>,
simpleOnly=<optimized out>, fileKey=<optimized out>, encAlgorithm=<optimized
out>, keyLength=<optimized out>, objNum=<optimized out>, objGen=<optimized
out>, recursion=<optimized out>, strict=<optimized out>) at Parser.cc:120
#10 0x00000000005d5880 in XRef::fetch (this=<optimized out>, num=<optimized
out>, gen=<optimized out>, recursion=<optimized out>) at XRef.cc:1165
#11 0x0000000000569d9e in Object::fetch (this=0x16bc310, xref=0x9ff120,
recursion=0) at Object.cc:125
#12 0x0000000000570bb1 in OutlineItem::readItemList (firstItemRef=<optimized
out>, xrefA=<optimized out>) at Outline.cc:127
#13 0x0000000000571b0a in OutlineItem::open (this=0x16bc2f0) at Outline.cc:149
#14 0x000000000041af2a in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1822
#15 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#16 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#17 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#18 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#19 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#20 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#21 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#22 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#23 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#24 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#25 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
.................
.................
.................
#58228 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58229 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58230 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58231 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58232 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58233 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58234 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58235 0x000000000041a7ed in HtmlOutputDev::dumpDocOutline (this=0x9ff4a0,
doc=<optimized out>) at HtmlOutputDev.cc:1748
#58236 0x00000000004085bb in main (argc=<optimized out>, argv=<optimized out>)
at pdftohtml.cc:391
The pdf file has been attached to help to reproduce the issue.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170921/0a120c1f/attachment-0001.html>
More information about the Poppler-bugs
mailing list