85272 – [pdftoppm] Loop tries to read 260335296 bytes

Bug 85272 - [pdftoppm] Loop tries to read 260335296 bytes

Summary: [pdftoppm] Loop tries to read 260335296 bytes

Status:	RESOLVED NOTABUG

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	utils (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-21 06:26 UTC by MH
Modified:	2017-09-03 16:50 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
pdftoppm-eternalloop.pdf (252.59 KB, application/pdf) 2014-10-21 06:26 UTC, MH	Details
828-unfuzzed.pdf (252.56 KB, application/pdf) 2014-10-21 13:47 UTC, MH	Details
View All

Description MH 2014-10-21 06:26:22 UTC

Created attachment 108146 [details]
pdftoppm-eternalloop.pdf

OS: Fedora 20 (running in virtualbox)
Dependencies installed with: yum-builddep poppler
Version: GIT Master
Command line for loop demonstration: master/utils/pdftoppm <attached.pdf> /dev/null

Tries to read 260,335,296 bytes.

#############################################################################
GDB output:

Reading symbols from /home/foobar/poppler/utils/.libs/lt-pdftoppm...done.
Starting program: /home/foobar/poppler/utils/.libs/lt-pdftoppm eternalloop-eternalread-828-pdftoppmfuzz-6.pdf /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Corrupt JPEG data: 19 extraneous bytes before marker 0xc4

^C

Program received signal SIGINT, Interrupt.
0x00007ffff7ab6588 in ImageStream::getLine (this=0x649d80) at Stream.cc:518
518       for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF;
(gdb) print inputLineSize
$1 = 260335296

Comment 1 MH 2014-10-21 13:47:39 UTC

Created attachment 108184 [details]
828-unfuzzed.pdf

Attached unfuzzed file as per request.

Comment 2 Albert Astals Cid 2015-01-08 16:48:22 UTC

I don't see how this is a bug.

Comment 3 Henri Salo 2017-09-03 16:50:19 UTC

Using poppler 0.58.0 and openjpeg 2.2 with following configure output.

Building poppler with support for:
  font configuration:  fontconfig
  splash output:       yes
  cairo output:        yes
  qt4 wrapper:         no
  qt5 wrapper:         yes
  glib wrapper:        yes
    introspection:     no
  cpp wrapper:         yes
  use gtk-doc:         no
  use libjpeg:         yes
  use libpng:          yes
  use libtiff:         yes
  use zlib compress:   yes
  use zlib uncompress: no
  use nss:             no
  use libcurl:         no
  use libopenjpeg:     yes
      with openjpeg2
  use cms:             yes
      with lcms2
  command line utils:  yes

I am unable to reproduce denial of service issues with this sample. As there hasn't been any recent comments from upstream I'm closing this case. I also tested with ASan build. This sample file was processed in ~40 minutes in my test system.

I'm curious why there is old cases not properly handled in the issue tracker. Is the issue tracker somewhere else? Developers busy with other projects/life? It's a bit worrying, because poppler is so widely used.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.