Bug 101551 - Stack exhaustion in Gfx.cc
Summary: Stack exhaustion in Gfx.cc
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2017-06-21 22:22 UTC by foca@salesforce.com
Modified: 2018-08-20 21:53 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (3.71 KB, application/pdf)
2017-06-21 22:22 UTC, foca@salesforce.com

Description foca@salesforce.com 2017-06-21 22:22:20 UTC
Created attachment 132126 [details]
Proof of concept


There is an infinite recursion in pdftocairo parsing the attached PoC2.pdf. As a result of the infinite (or very deep) recursion all the stack space is consumed and the application crashes.

The recursion happens when the following functions are called over and over again in my case the backtrace had ~32k calls:
#31040 0x00000000004373cb in Gfx::drawForm (this=0x94c770, str=0x94df98, resDict=0x0, matrix=0x7fffffffd5f0, bbox=0x94df28, transpGroup=false, softMask=false, blendingColorSpace=0x0, isolated=false, knockout=false, alpha=false, transferFunc=0x0, backdropColor=0x0) at Gfx.cc:4979
#31041 0x00000000004274f5 in Gfx::doTilingPatternFill (this=0x94c770, tPat=0x94df10, stroke=false, eoFill=true, text=false) at Gfx.cc:2309
#31042 0x0000000000425ae5 in Gfx::doPatternFill (this=0x94c770, eoFill=true) at Gfx.cc:2025
#31043 0x000000000042551e in Gfx::opEOFill (this=0x94c770, args=0x7fffffffd860, numArgs=0) at Gfx.cc:1911
#31044 0x0000000000420708 in Gfx::execOp (this=0x94c770, cmd=0x7fffffffd850, args=0x7fffffffd860, numArgs=0) at Gfx.cc:909
#31045 0x000000000041ff6e in Gfx::go (this=0x94c770, topLevel=true) at Gfx.cc:767
#31046 0x000000000041fd3d in Gfx::display (this=0x94c770, obj=0x7fffffffdbb0, topLevel=true) at Gfx.cc:729

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC2.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 GitLab Migration User 2018-08-20 21:53:30 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/112.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.