[Poppler-bugs] [Bug 102914] New: pdftohtml HtmlOutputDev::newHtmlOutlineLevel() infinite loop vulnerability

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Sep 21 02:39:21 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102914

            Bug ID: 102914
           Summary: pdftohtml HtmlOutputDev::newHtmlOutlineLevel()
                    infinite loop vulnerability
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: pdftohtml
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: etovio at gmail.com

Created attachment 134396
  --> https://bugs.freedesktop.org/attachment.cgi?id=134396&action=edit
POC file of the vulnerability

An infinite loop vulnerability has been found in poppler 0.59.0 pdftohtml
HtmlOutputDev::newHtmlOutlineLevel() when handling crafted PDF files, which may
lead to potential attack.

gzq at ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -h
pdftohtml version 0.59.0
Copyright 2005-2017 The Poppler Developers - http://poppler.freedesktop.org
Copyright 1999-2003 Gueorgui Ovtcharov and Rainer Dorsch
Copyright 1996-2011 Glyph & Cog, LLC

Usage: pdftohtml [options] <PDF-file> [<html-file> <xml-file>]
  -f <int>              : first page to convert
  -l <int>              : last page to convert
  -q                    : don't print any messages or errors
  -h                    : print usage information
  -?                    : print usage information
  -help                 : print usage information
  --help                : print usage information
  -p                    : exchange .pdf links by .html
  -c                    : generate complex document
  -s                    : generate single document that includes all pages
  -i                    : ignore images
  -noframes             : generate no frames
  -stdout               : use standard output
  -zoom <fp>            : zoom the pdf document (default 1.5)
  -xml                  : output for XML post-processing
  -hidden               : output hidden text
  -nomerge              : do not merge paragraphs
  -enc <string>         : output text encoding name
  -fmt <string>         : image file format for Splash output (png or jpg)
  -v                    : print copyright and version info
  -opw <string>         : owner password (for encrypted files)
  -upw <string>         : user password (for encrypted files)
  -nodrm                : override document DRM settings
  -wbt <fp>             : word break threshold (default 10 percent)
  -fontfullname         : outputs font full name                           
gzq at ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf 
Segmentation fault
gzq at ubuntu:~$ gdb -q /home/gzq/install/poppler/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler/bin/pdftohtml...done.
(gdb) r -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
Starting program: /home/gzq/install/poppler/bin/pdftohtml -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff620554e in _int_malloc (av=av at entry=0x7ffff6542b00 <main_arena>,
bytes=bytes at entry=2) at malloc.c:3386
#0  0x00007ffff620554e in _int_malloc (av=av at entry=0x7ffff6542b00 <main_arena>,
bytes=bytes at entry=2) at malloc.c:3386
#1  0x00007ffff62079e4 in __GI___libc_malloc (bytes=2) at malloc.c:2927
#2  0x00000000005fffc8 in gmalloc (checkoverflow=false, size=<optimized out>)
at gmem.cc:110
#3  gmalloc (size=<optimized out>) at gmem.cc:120
#4  copyString (s=0x16b78b9 "R") at gmem.cc:316
#5  0x000000000055b026 in Object::Object (this=<optimized out>, typeA=objCmd,
stringA=<optimized out>) at ./Object.h:157
#6  Lexer::getObj (this=<optimized out>, objNum=<optimized out>) at
Lexer.cc:573
#7  0x000000000057bbc6 in Parser::shift (this=<optimized out>, objNum=-1) at
Parser.cc:291
#8  0x000000000057a578 in Parser::getObj (this=0x16bbad0, simpleOnly=<optimized
out>, fileKey=<optimized out>, encAlgorithm=<optimized out>,
keyLength=<optimized out>, objNum=7, objGen=<optimized out>, recursion=1,
strict=<optimized out>) at Parser.cc:149
#9  0x000000000057ab52 in Parser::getObj (this=<optimized out>,
simpleOnly=<optimized out>, fileKey=<optimized out>, encAlgorithm=<optimized
out>, keyLength=<optimized out>, objNum=<optimized out>, objGen=<optimized
out>, recursion=<optimized out>, strict=<optimized out>) at Parser.cc:120
#10 0x00000000005d5880 in XRef::fetch (this=<optimized out>, num=<optimized
out>, gen=<optimized out>, recursion=<optimized out>) at XRef.cc:1165
#11 0x0000000000569d9e in Object::fetch (this=0x16bc310, xref=0x9ff120,
recursion=0) at Object.cc:125
#12 0x0000000000570bb1 in OutlineItem::readItemList (firstItemRef=<optimized
out>, xrefA=<optimized out>) at Outline.cc:127
#13 0x0000000000571b0a in OutlineItem::open (this=0x16bc2f0) at Outline.cc:149
#14 0x000000000041af2a in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1822
#15 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#16 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#17 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#18 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#19 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#20 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#21 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#22 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#23 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#24 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#25 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
.................
.................
.................
#58228 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58229 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58230 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58231 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58232 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58233 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58234 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58235 0x000000000041a7ed in HtmlOutputDev::dumpDocOutline (this=0x9ff4a0,
doc=<optimized out>) at HtmlOutputDev.cc:1748
#58236 0x00000000004085bb in main (argc=<optimized out>, argv=<optimized out>)
at pdftohtml.cc:391

The pdf file has been attached to help to reproduce the issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170921/0a120c1f/attachment-0001.html>

More information about the Poppler-bugs mailing list