102914 – pdftohtml HtmlOutputDev::newHtmlOutlineLevel() infinite loop vulnerability

Bug 102914 - pdftohtml HtmlOutputDev::newHtmlOutlineLevel() infinite loop vulnerability

Summary: pdftohtml HtmlOutputDev::newHtmlOutlineLevel() infinite loop vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	pdftohtml (show other bugs)
Version:	unspecified
Hardware:	All Linux (All)

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-21 02:39 UTC by Ziqiang Gu
Modified:	2017-12-26 23:19 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
POC file of the vulnerability (3.50 KB, application/pdf) 2017-09-21 02:39 UTC, Ziqiang Gu	Details
View All

Description Ziqiang Gu 2017-09-21 02:39:21 UTC

Created attachment 134396 [details]
POC file of the vulnerability

An infinite loop vulnerability has been found in poppler 0.59.0 pdftohtml HtmlOutputDev::newHtmlOutlineLevel() when handling crafted PDF files, which may lead to potential attack.

gzq@ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -h
pdftohtml version 0.59.0
Copyright 2005-2017 The Poppler Developers - http://poppler.freedesktop.org
Copyright 1999-2003 Gueorgui Ovtcharov and Rainer Dorsch
Copyright 1996-2011 Glyph & Cog, LLC

Usage: pdftohtml [options] <PDF-file> [<html-file> <xml-file>]
  -f <int>              : first page to convert
  -l <int>              : last page to convert
  -q                    : don't print any messages or errors
  -h                    : print usage information
  -?                    : print usage information
  -help                 : print usage information
  --help                : print usage information
  -p                    : exchange .pdf links by .html
  -c                    : generate complex document
  -s                    : generate single document that includes all pages
  -i                    : ignore images
  -noframes             : generate no frames
  -stdout               : use standard output
  -zoom <fp>            : zoom the pdf document (default 1.5)
  -xml                  : output for XML post-processing
  -hidden               : output hidden text
  -nomerge              : do not merge paragraphs
  -enc <string>         : output text encoding name
  -fmt <string>         : image file format for Splash output (png or jpg)
  -v                    : print copyright and version info
  -opw <string>         : owner password (for encrypted files)
  -upw <string>         : user password (for encrypted files)
  -nodrm                : override document DRM settings
  -wbt <fp>             : word break threshold (default 10 percent)
  -fontfullname         : outputs font full name                           
gzq@ubuntu:~$ /home/gzq/install/poppler/bin/pdftohtml -q /home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf 
Segmentation fault
gzq@ubuntu:~$ gdb -q /home/gzq/install/poppler/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler/bin/pdftohtml...done.
(gdb) r -q /home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
Starting program: /home/gzq/install/poppler/bin/pdftohtml -q /home/gzq/fuzztmp/poppler/pdftohtml-newHtmlOutlineLevel-infinite-loop.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff620554e in _int_malloc (av=av@entry=0x7ffff6542b00 <main_arena>, bytes=bytes@entry=2) at malloc.c:3386
#0  0x00007ffff620554e in _int_malloc (av=av@entry=0x7ffff6542b00 <main_arena>, bytes=bytes@entry=2) at malloc.c:3386
#1  0x00007ffff62079e4 in __GI___libc_malloc (bytes=2) at malloc.c:2927
#2  0x00000000005fffc8 in gmalloc (checkoverflow=false, size=<optimized out>) at gmem.cc:110
#3  gmalloc (size=<optimized out>) at gmem.cc:120
#4  copyString (s=0x16b78b9 "R") at gmem.cc:316
#5  0x000000000055b026 in Object::Object (this=<optimized out>, typeA=objCmd, stringA=<optimized out>) at ./Object.h:157
#6  Lexer::getObj (this=<optimized out>, objNum=<optimized out>) at Lexer.cc:573
#7  0x000000000057bbc6 in Parser::shift (this=<optimized out>, objNum=-1) at Parser.cc:291
#8  0x000000000057a578 in Parser::getObj (this=0x16bbad0, simpleOnly=<optimized out>, fileKey=<optimized out>, encAlgorithm=<optimized out>, keyLength=<optimized out>, objNum=7, objGen=<optimized out>, recursion=1, strict=<optimized out>) at Parser.cc:149
#9  0x000000000057ab52 in Parser::getObj (this=<optimized out>, simpleOnly=<optimized out>, fileKey=<optimized out>, encAlgorithm=<optimized out>, keyLength=<optimized out>, objNum=<optimized out>, objGen=<optimized out>, recursion=<optimized out>, strict=<optimized out>) at Parser.cc:120
#10 0x00000000005d5880 in XRef::fetch (this=<optimized out>, num=<optimized out>, gen=<optimized out>, recursion=<optimized out>) at XRef.cc:1165
#11 0x0000000000569d9e in Object::fetch (this=0x16bc310, xref=0x9ff120, recursion=0) at Object.cc:125
#12 0x0000000000570bb1 in OutlineItem::readItemList (firstItemRef=<optimized out>, xrefA=<optimized out>) at Outline.cc:127
#13 0x0000000000571b0a in OutlineItem::open (this=0x16bc2f0) at Outline.cc:149
#14 0x000000000041af2a in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1822
#15 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#16 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#17 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#18 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#19 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#20 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#21 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#22 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#23 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#24 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#25 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
.................
.................
.................
#58228 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58229 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58230 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58231 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58232 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58233 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58234 0x000000000041afd3 in HtmlOutputDev::newHtmlOutlineLevel (this=<optimized out>, output=<optimized out>, outlines=<optimized out>, catalog=<optimized out>, level=<optimized out>) at HtmlOutputDev.cc:1826
#58235 0x000000000041a7ed in HtmlOutputDev::dumpDocOutline (this=0x9ff4a0, doc=<optimized out>) at HtmlOutputDev.cc:1748
#58236 0x00000000004085bb in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:391

The pdf file has been attached to help to reproduce the issue.

Comment 1 Albert Astals Cid 2017-12-26 23:19:45 UTC

Fix pushed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.