Created attachment 131533 [details] analysis_and_PoC ## Summary pdfunite util in poppler-0.55.0 will crash when parsing a crafted pdf file, because the program fall into a recursive and interactive call of two functions and eventually exhaust the stack space. ## Reproduce pengjiaqi@ubuntu:~/Documents/crash/poppler-0.55.0ild-gcc/utils$ ./pdfunite PoC.pdf 1.pdf Segmentation fault ## Analysis Due to the analysis is a little complex, I have uploaded it as an attachment, along with a PoC. In order to avoid disclosing it before patch is released, I have encrypted it. The developers can communicate with me to get the password. ## Author name: Jiaqi Peng email: pjqruc@gmail.com
*** Bug 101209 has been marked as a duplicate of this bug. ***
*** Bug 101210 has been marked as a duplicate of this bug. ***
You can send the password to me, but really, next time unless you can prove the crash can be exploited just attach the pdf and that's it.
(In reply to Albert Astals Cid from comment #3) > You can send the password to me, but really, next time unless you can prove > the crash can be exploited just attach the pdf and that's it. OK, I will! I have sent the password to you.
Created attachment 132401 [details] [review] Alberts patch to fix the problem Thomas, the attached patch fixes the problem by basically keeping track of the dicts we've marked/written so we don't end up in a recursion. What do you think?
(In reply to Albert Astals Cid from comment #5) > Created attachment 132401 [details] [review] [review] > Alberts patch to fix the problem > > Thomas, the attached patch fixes the problem by basically keeping track of > the dicts we've marked/written so we don't end up in a recursion. > > What do you think? Looks good for me. Its should break any dictionnary recursion.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.