Bug 28172 - poppler: xref / XRefStm infinite loop and stack memory exhaustion
Summary: poppler: xref / XRefStm infinite loop and stack memory exhaustion
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-19 02:49 UTC by Tomas Hoger
Modified: 2014-05-02 11:20 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
Reproducer (161 bytes, text/plain)
2010-05-19 02:50 UTC, Tomas Hoger 		Details
View All

Description Tomas Hoger 2010-05-19 02:49:17 UTC 
Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to
crash.  It triggers an infinite loop in xref table parsing.

XRef::readXRef is used to read xref table.  It calls XRef::readXRefTable for "old-style xref table":

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/XRef.cc?id=32de2ac6#n362

readXRefTable reads the table and trailer, which may contain reference to additional xref table - /XRefStm.  It calls readXRef recursively using argument from PDF file without further sanitization:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/XRef.cc?id=32de2ac6#n509

If this refers to the same xref table that was just parsed, it causes poppler to call readXRef and readXRefTable recursively until all stack memory is exhausted and process is killed.

Possible fix may be to ignore /XRefStm back-references, if PDF spec allows that.
Comment 1 Tomas Hoger 2010-05-19 02:50:30 UTC 
Created attachment 35752 [details]
Reproducer

Minimal test case, based on Sauli's test.
Comment 2 Albert Astals Cid 2010-05-25 15:46:00 UTC 
Fixed in d207487

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.