| Summary: | poppler: stream object /Length attribute parsing infinite loop and stack memory exhaustion | ||
|---|---|---|---|
| Product: | poppler | Reporter: | Tomas Hoger <thoger> |
| Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
Minimal test case
Minimal test case with multiple objects |
||
|
Description
Tomas Hoger
2010-06-28 00:48:07 UTC
Created attachment 36558 [details]
Minimal test case
One object referring to itself.
Created attachment 36559 [details]
Minimal test case with multiple objects
/Length reference loop with 3 objects.
Should be fixed in master (In reply to comment #3) > Should be fixed in master In http://cgit.freedesktop.org/poppler/poppler/commit/?id=b0555189a7 and http://cgit.freedesktop.org/poppler/poppler/commit/?id=3628837feb , it seems. Latest git version no longer crashes on the test files I have for this issue. I wonder if it might make sense to put some arbitrary sane limit on the maximum fetchOriginatorNums set size. For the /Length loop I reported, I suppose sets with more than a few members should be uncommon. Personally i'll avoid adding an arbitrary limit since finding a sane value is too difficult |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.