Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to
crash. It triggers an infinite loop in xref table parsing.
XRef::readXRef is used to read xref table. It calls XRef::readXRefTable for "old-style xref table":
readXRefTable reads the table and trailer, which may contain reference to additional xref table - /XRefStm. It calls readXRef recursively using argument from PDF file without further sanitization:
If this refers to the same xref table that was just parsed, it causes poppler to call readXRef and readXRefTable recursively until all stack memory is exhausted and process is killed.
Possible fix may be to ignore /XRefStm back-references, if PDF spec allows that.
Created attachment 35752 [details]
Minimal test case, based on Sauli's test.
Fixed in d207487