Bug 91186 - Malformed input will cause a stack overflow and crash
Summary: Malformed input will cause a stack overflow and crash
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-02 08:42 UTC by Hanno Böck
Modified: 2015-09-06 20:34 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
sample input (100 bytes, text/plain)
2015-07-02 08:42 UTC, Hanno Böck 		Details
Fix JBIG2Decode infinite loop and stack overflow (1.29 KB, patch)
2015-09-06 18:48 UTC, Jason Crain 		Details | Splinter Review
View All

Description Hanno Böck 2015-07-02 08:42:04 UTC 
Created attachment 116869 [details]
sample input

The attached file will segfault poppler (can be tested with either evince or any of the pdfto* command line tools). It seems to be an endless recursion causing a stack overflow judging from the address sanitizer stack trace.

Found with american fuzzy lop.

Error message from asan:
==17945==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0e24df08 (pc 0x7fcca06dab7d bp 0x7ffd0e24e4e0 sp 0x7ffd0e24df10 T0)
    #0 0x7fcca06dab7c in _IO_vfprintf /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1304
    #1 0x7fcca06e0240 in buffered_vfprintf /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:2348
    #2 0x7fcca06daca4 in _IO_vfprintf /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1296
    #3 0x490882 in fprintf (/mnt/ram/poppler/pdftoppm+0x490882)
    #4 0x5545f0 in error(ErrorCategory, long long, char const*, ...) /f/poppler-0.33.0/poppler/Error.cc:88:7
    #5 0x66d487 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:217:5
    #6 0x66bbea in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:131:34
    #7 0x6ce3a8 in XRef::fetch(int, int, Object*, int) /f/poppler-0.33.0/poppler/XRef.cc:1198:5
    #8 0x65afd0 in Object::fetch(XRef*, Object*, int) /f/poppler-0.33.0/poppler/Object.cc:122:10
    #9 0x68f4ee in Stream::makeFilter(char*, Stream*, Object*, int, Object*) /f/poppler-0.33.0/poppler/Stream.cc:348:9
    #10 0x68d363 in Stream::addFilters(Object*, int) /f/poppler-0.33.0/poppler/Stream.cc:188:11
    #11 0x66ded9 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:277:9
    #12 0x66bbea in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:131:34

(this goes on for several hundred lines)
Comment 1 Jason Crain 2015-09-06 18:48:19 UTC 
Created attachment 118106 [details] [review]
Fix JBIG2Decode infinite loop and stack overflow

A PDF object with a JBIG2Decode filter can create a stack overflow or infinite loop.  This patch fixes the stack overflow by adding the 'recursion' argument to the fetch call.  And it fixes the infinite loop by removing the reference lookup loop since chains of references aren't allowed by the spec.  At least I haven't seen any other reader that supports them.
Comment 2 Albert Astals Cid 2015-09-06 20:34:25 UTC 
Cool!

Pushed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.