<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - pdftohtml HtmlOutputDev::newHtmlOutlineLevel() infinite loop vulnerability"
href="https://bugs.freedesktop.org/show_bug.cgi?id=102914">102914</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>pdftohtml HtmlOutputDev::newHtmlOutlineLevel() infinite loop vulnerability
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>pdftohtml
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>etovio@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=134396" name="attach_134396" title="POC file of the vulnerability">attachment 134396</a> <a href="attachment.cgi?id=134396&action=edit" title="POC file of the vulnerability">[details]</a></span>
POC file of the vulnerability
An infinite loop vulnerability has been found in poppler 0.59.0 pdftohtml
HtmlOutputDev::newHtmlOutlineLevel() when handling crafted PDF files, which may
lead to potential attack.
gzq@ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -h
pdftohtml version 0.59.0
Copyright 2005-2017 The Poppler Developers - <a href="http://poppler.freedesktop.org">http://poppler.freedesktop.org</a>
Copyright 1999-2003 Gueorgui Ovtcharov and Rainer Dorsch
Copyright 1996-2011 Glyph & Cog, LLC
Usage: pdftohtml [options] <PDF-file> [<html-file> <xml-file>]
-f <int> : first page to convert
-l <int> : last page to convert
-q : don't print any messages or errors
-h : print usage information
-? : print usage information
-help : print usage information
--help : print usage information
-p : exchange .pdf links by .html
-c : generate complex document
-s : generate single document that includes all pages
-i : ignore images
-noframes : generate no frames
-stdout : use standard output
-zoom <fp> : zoom the pdf document (default 1.5)
-xml : output for XML post-processing
-hidden : output hidden text
-nomerge : do not merge paragraphs
-enc <string> : output text encoding name
-fmt <string> : image file format for Splash output (png or jpg)
-v : print copyright and version info
-opw <string> : owner password (for encrypted files)
-upw <string> : user password (for encrypted files)
-nodrm : override document DRM settings
-wbt <fp> : word break threshold (default 10 percent)
-fontfullname : outputs font full name
gzq@ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
Segmentation fault
gzq@ubuntu:~$ gdb -q /home/gzq/install/poppler/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler/bin/pdftohtml...done.
(gdb) r -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
Starting program: /home/gzq/install/poppler/bin/pdftohtml -q
/home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff620554e in _int_malloc (av=av@entry=0x7ffff6542b00 <main_arena>,
bytes=bytes@entry=2) at malloc.c:3386
#0 0x00007ffff620554e in _int_malloc (av=av@entry=0x7ffff6542b00 <main_arena>,
bytes=bytes@entry=2) at malloc.c:3386
#1 0x00007ffff62079e4 in __GI___libc_malloc (bytes=2) at malloc.c:2927
#2 0x00000000005fffc8 in gmalloc (checkoverflow=false, size=<optimized out>)
at gmem.cc:110
#3 gmalloc (size=<optimized out>) at gmem.cc:120
#4 copyString (s=0x16b78b9 "R") at gmem.cc:316
#5 0x000000000055b026 in Object::Object (this=<optimized out>, typeA=objCmd,
stringA=<optimized out>) at ./Object.h:157
#6 Lexer::getObj (this=<optimized out>, objNum=<optimized out>) at
Lexer.cc:573
#7 0x000000000057bbc6 in Parser::shift (this=<optimized out>, objNum=-1) at
Parser.cc:291
#8 0x000000000057a578 in Parser::getObj (this=0x16bbad0, simpleOnly=<optimized
out>, fileKey=<optimized out>, encAlgorithm=<optimized out>,
keyLength=<optimized out>, objNum=7, objGen=<optimized out>, recursion=1,
strict=<optimized out>) at Parser.cc:149
#9 0x000000000057ab52 in Parser::getObj (this=<optimized out>,
simpleOnly=<optimized out>, fileKey=<optimized out>, encAlgorithm=<optimized
out>, keyLength=<optimized out>, objNum=<optimized out>, objGen=<optimized
out>, recursion=<optimized out>, strict=<optimized out>) at Parser.cc:120
#10 0x00000000005d5880 in XRef::fetch (this=<optimized out>, num=<optimized
out>, gen=<optimized out>, recursion=<optimized out>) at XRef.cc:1165
#11 0x0000000000569d9e in Object::fetch (this=0x16bc310, xref=0x9ff120,
recursion=0) at Object.cc:125
#12 0x0000000000570bb1 in OutlineItem::readItemList (firstItemRef=<optimized
out>, xrefA=<optimized out>) at Outline.cc:127
#13 0x0000000000571b0a in OutlineItem::open (this=0x16bc2f0) at Outline.cc:149
#14 0x000000000041af2a in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1822
#15 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#16 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#17 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#18 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#19 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#20 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#21 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#22 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#23 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#24 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#25 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized
out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized
out>, level=<optimized out>) at HtmlOutputDev.cc:1826
.................
.................
.................
#58228 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58229 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58230 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58231 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58232 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58233 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58234 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel
(this=<optimized out>, output=<optimized out>, outlines=<optimized out>,
catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58235 0x000000000041a7ed in HtmlOutputDev::dumpDocOutline (this=0x9ff4a0,
doc=<optimized out>) at HtmlOutputDev.cc:1748
#58236 0x00000000004085bb in main (argc=<optimized out>, argv=<optimized out>)
at pdftohtml.cc:391
The pdf file has been attached to help to reproduce the issue.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>