Created attachment 20027 [details] [review] add hash check for outlines section numbers If the definition of an outlines section in a document is broken and /Next references contain a loop, libpoppler will follow this blindly and become stuck in a loop of its own. The broken documents I found had sections arranged like: 24 /First 25 ... /Type/Outlines 25 /Next 51 ... 27 /Next 28 ... 28 /Next 52 ... 29 /Next 27 ... 30 /Next 29 ... ... 50 /Next 49 ... 51 /Next 50 ... 52 /Next 51 ... I assume that the same bug could be triggered with just two Outlines sections. Attached is a patch that fixes this issue, but I have no experience with the workflow and coding practises of the poppler project, so it may not suit the authors. This issue applies to v0.8.7 and earlier. The patch is valid for this version and also applies cleanly to 0.5.9 The patch works by adding a hash of outline section numbers visited. If a number appears again, the loop is exited.
I was waiting until someone decided to create a CVE or something due to this, congratulations for being the one in the outside to notice and care :-) I'd like you to suggest a patch based on the same approach used in Catalog::readPageTree and alreadyRead It's probably more memory intensive but does not slow down things as much as yours does and given there's already one place where such construction is used memory usage is not a problem.
Excuse my lazyness in getting back... I redid the original patch using your suggested method, against the sources for v0.10.4 It will be attached as : outlineitems_alreadyread.patch Having already made the first patch, I re-read your previous comment and noted the part: 'already one place where such construction is used' so I redid the patch once again, with a alreadyRead buffer shared between the Catalog and Outline objects, in case that is what you were hinting. It is a bit messy passing the buffer around though, I contemplated putting it in the XRef structure, but it seems this structure has not changed in many versions of poppler, so I assumed it is required to remain unchanged? Anyhow, I hope one of these patches is of use.
Created attachment 23431 [details] [review] Add a lookup table for ref numbers already found in OutlineItem::readItemList
Created attachment 23432 [details] [review] Lookup table for reference numbers shared between Catalog and Outline
I've commited patch from comment #3, thanks a lot for the work :-)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.