Bug 101208 - [pdfunite] crash due to a recursive call of two functions that exhausts the call stack
Summary: [pdfunite] crash due to a recursive call of two functions that exhausts the c...
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: utils (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
: 101209 101210 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-05-27 06:34 UTC by Jiaqi Peng
Modified: 2017-07-19 11:27 UTC (History)
4 users (show)

See Also:
i915 platform:
i915 features:


Attachments
analysis_and_PoC (741.54 KB, application/x-rar)
2017-05-27 06:34 UTC, Jiaqi Peng
Details
Alberts patch to fix the problem (11.88 KB, patch)
2017-07-02 21:36 UTC, Albert Astals Cid
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Jiaqi Peng 2017-05-27 06:34:38 UTC
Created attachment 131533 [details]
analysis_and_PoC

## Summary
pdfunite util in poppler-0.55.0 will crash when parsing a crafted pdf file, because the program fall into a recursive and interactive call of two functions and eventually exhaust the stack space.


## Reproduce
pengjiaqi@ubuntu:~/Documents/crash/poppler-0.55.0ild-gcc/utils$ ./pdfunite PoC.pdf 1.pdf
Segmentation fault


## Analysis
Due to the analysis is a little complex, I have uploaded it as an attachment, along with a PoC. In order to avoid disclosing it before patch is released, I have encrypted it. The developers can communicate with me to get the password.


## Author
name: Jiaqi Peng
email: pjqruc@gmail.com
Comment 1 Albert Astals Cid 2017-05-27 16:31:34 UTC
*** Bug 101209 has been marked as a duplicate of this bug. ***
Comment 2 Albert Astals Cid 2017-05-27 16:31:39 UTC
*** Bug 101210 has been marked as a duplicate of this bug. ***
Comment 3 Albert Astals Cid 2017-05-27 16:32:33 UTC
You can send the password to me, but really, next time unless you can prove the crash can be exploited just attach the pdf and that's it.
Comment 4 Jiaqi Peng 2017-05-28 01:40:15 UTC
(In reply to Albert Astals Cid from comment #3)
> You can send the password to me, but really, next time unless you can prove
> the crash can be exploited just attach the pdf and that's it.

OK, I will! I have sent the password to you.
Comment 5 Albert Astals Cid 2017-07-02 21:36:26 UTC
Created attachment 132401 [details] [review]
Alberts patch to fix the problem

Thomas, the attached patch fixes the problem by basically keeping track of the dicts we've marked/written so we don't end up in a recursion.

What do you think?
Comment 6 Thomas Freitag 2017-07-03 08:35:11 UTC
(In reply to Albert Astals Cid from comment #5)
> Created attachment 132401 [details] [review] [review]
> Alberts patch to fix the problem
> 
> Thomas, the attached patch fixes the problem by basically keeping track of
> the dicts we've marked/written so we don't end up in a recursion.
> 
> What do you think?

Looks good for me. Its should break any dictionnary recursion.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.