Bug 28784 - poppler: stream object /Length attribute parsing infinite loop and stack memory exhaustion
Summary: poppler: stream object /Length attribute parsing infinite loop and stack memo...
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2010-06-28 00:48 UTC by Tomas Hoger
Modified: 2010-11-22 11:55 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Minimal test case (183 bytes, text/plain)
2010-06-28 00:49 UTC, Tomas Hoger
Minimal test case with multiple objects (364 bytes, text/plain)
2010-06-28 00:50 UTC, Tomas Hoger

Description Tomas Hoger 2010-06-28 00:48:07 UTC
Circular reference using in (stream) object's /Length attribute can cause poppler's PDF parser to enter an infinite loop (deep recursion), leading to program crash once all stack memory is exhausted.  This can happen when object's /Length attribute refers to the same object, but the loop can also contain additional intermediate objects.
Comment 1 Tomas Hoger 2010-06-28 00:49:23 UTC
Created attachment 36558 [details]
Minimal test case

One object referring to itself.
Comment 2 Tomas Hoger 2010-06-28 00:50:24 UTC
Created attachment 36559 [details]
Minimal test case with multiple objects

/Length reference loop with 3 objects.
Comment 3 Albert Astals Cid 2010-11-20 14:17:08 UTC
Should be fixed in master
Comment 4 Tomas Hoger 2010-11-22 05:23:30 UTC
(In reply to comment #3)
> Should be fixed in master

In http://cgit.freedesktop.org/poppler/poppler/commit/?id=b0555189a7 and http://cgit.freedesktop.org/poppler/poppler/commit/?id=3628837feb , it seems.

Latest git version no longer crashes on the test files I have for this issue.

I wonder if it might make sense to put some arbitrary sane limit on the maximum fetchOriginatorNums set size.  For the /Length loop I reported, I suppose sets with more than a few members should be uncommon.
Comment 5 Albert Astals Cid 2010-11-22 11:55:57 UTC
Personally i'll avoid adding an arbitrary limit since finding a sane value is too difficult

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.