<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Stack exhaustion in Gfx.cc"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101551">101551</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Stack exhaustion in Gfx.cc
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132126" name="attach_132126" title="Proof of concept">attachment 132126</a> <a href="attachment.cgi?id=132126&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

Hi, 

There is an infinite recursion in pdftocairo parsing the attached PoC2.pdf. As
a result of the infinite (or very deep) recursion all the stack space is
consumed and the application crashes.

The recursion happens when the following functions are called over and over
again in my case the backtrace had ~32k calls:

#31040 0x00000000004373cb in Gfx::drawForm (this=0x94c770, str=0x94df98,
resDict=0x0, matrix=0x7fffffffd5f0, bbox=0x94df28, transpGroup=false,
softMask=false, blendingColorSpace=0x0, isolated=false, knockout=false,
alpha=false, transferFunc=0x0, backdropColor=0x0) at Gfx.cc:4979
#31041 0x00000000004274f5 in Gfx::doTilingPatternFill (this=0x94c770,
tPat=0x94df10, stroke=false, eoFill=true, text=false) at Gfx.cc:2309
#31042 0x0000000000425ae5 in Gfx::doPatternFill (this=0x94c770, eoFill=true) at
Gfx.cc:2025
#31043 0x000000000042551e in Gfx::opEOFill (this=0x94c770, args=0x7fffffffd860,
numArgs=0) at Gfx.cc:1911
#31044 0x0000000000420708 in Gfx::execOp (this=0x94c770, cmd=0x7fffffffd850,
args=0x7fffffffd860, numArgs=0) at Gfx.cc:909
#31045 0x000000000041ff6e in Gfx::go (this=0x94c770, topLevel=true) at
Gfx.cc:767
#31046 0x000000000041fd3d in Gfx::display (this=0x94c770, obj=0x7fffffffdbb0,
topLevel=true) at Gfx.cc:729

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To
reproduce the bug use:
pdftocairo -svg PoC2.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>