Bug 28172 - poppler: xref / XRefStm infinite loop and stack memory exhaustion
Summary: poppler: xref / XRefStm infinite loop and stack memory exhaustion
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2010-05-19 02:49 UTC by Tomas Hoger
Modified: 2014-05-02 11:20 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Reproducer (161 bytes, text/plain)
2010-05-19 02:50 UTC, Tomas Hoger

Description Tomas Hoger 2010-05-19 02:49:17 UTC
Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to
crash.  It triggers an infinite loop in xref table parsing.

XRef::readXRef is used to read xref table.  It calls XRef::readXRefTable for "old-style xref table":


readXRefTable reads the table and trailer, which may contain reference to additional xref table - /XRefStm.  It calls readXRef recursively using argument from PDF file without further sanitization:


If this refers to the same xref table that was just parsed, it causes poppler to call readXRef and readXRefTable recursively until all stack memory is exhausted and process is killed.

Possible fix may be to ignore /XRefStm back-references, if PDF spec allows that.
Comment 1 Tomas Hoger 2010-05-19 02:50:30 UTC
Created attachment 35752 [details]

Minimal test case, based on Sauli's test.
Comment 2 Albert Astals Cid 2010-05-25 15:46:00 UTC
Fixed in d207487

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.