96217 – poppler-0.44.0: infinity loop: Syntax Error (448): Dictionary key must be a name object / Bad 'Length' attribute in stream

Bug 96217 - poppler-0.44.0: infinity loop: Syntax Error (448): Dictionary key must be a name object / Bad 'Length' attribute in stream

Summary: poppler-0.44.0: infinity loop: Syntax Error (448): Dictionary key must be a n...

Status:	RESOLVED MOVED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-05-25 18:21 UTC by LE GARREC Vincent
Modified:	2018-08-20 21:32 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
infinity-loop-recursion.pdf (5.16 KB, application/pdf) 2016-05-25 18:22 UTC, LE GARREC Vincent	Details
View All

Description LE GARREC Vincent 2016-05-25 18:21:01 UTC

Dear,
Now that all crashes found by afl are solved (thanks :)), there's lots of pdf that run into infinity (?) loop.

The infinity loop comes after that the recursion of Parser::makeStream have the number 500.

output:
…
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
…

gdb output:
#0  0x00007ffff7a1f930 in __afl_maybe_log () from /home/legarrec/info/programmation/tmp/poppler-0.44.0/poppler/.libs/libpoppler.so.61
#1  0x00007ffff7a16162 in GooString::append (this=0x74d980, c=108 'l') at GooString.cc:275
#2  0x000000000000006c in ?? ()
#3  0x0000000000000002 in ?? ()
#4  0x000000000074d980 in ?? ()
#5  0x000000000074d980 in ?? ()
#6  0x00007ffffffbcce0 in ?? ()
#7  0x00007ffff7a15e2e in memcpy (__len=7, __src=0x7ffff7da9e20 <vtable for FileStream+16>, __dest=<optimized out>) at /usr/include/bits/string3.h:53
#8  GooString::append (this=0x1e2, this@entry=0x74d980, str=0x7ffff7da9e20 <vtable for FileStream+16> "\300\207\214\367\377\177", str@entry=0x7ffffffbcb7c "i", lengthA=7, lengthA@entry=1) at GooString.cc:288
#9  0x00007ffff7a16190 in GooString::append (this=this@entry=0x74d980, c=105 'i') at GooString.cc:276
#10 0x00007ffff76f4967 in error (category=category@entry=errSyntaxError, pos=482, msg=msg@entry=0x7ffff7b2fd98 "Bad 'Filter' attribute in stream") at Error.cc:80
#11 0x00007ffff78e9f69 in Stream::addFilters (this=this@entry=0x74e1e0, dict=dict@entry=0x7ffffffbcf80, recursion=recursion@entry=499) at Stream.cc:207
#12 0x00007ffff789dbbe in Parser::makeStream (this=this@entry=0x74df10, dict=dict@entry=0x7ffffffbcf80, fileKey=fileKey@entry=0x0, encAlgorithm=encAlgorithm@entry=(cryptAES256 | unknown: 774974788), keyLength=keyLength@entry=-1020982732, objNum=objNum@entry=6, objGen=0, recursion=499, strict=false) at Parser.cc:277
#13 0x00007ffff789e8cc in Parser::getObj (this=this@entry=0x74df10, obj=obj@entry=0x7ffffffbcf80, simpleOnly=simpleOnly@entry=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=keyLength@entry=-1020982732, objNum=6, objGen=0, recursion=498, strict=false) at Parser.cc:131
#14 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>, gen=<optimized out>, obj=0x7ffffffbcf80, obj@entry=0x6, recursion=recursion@entry=498) at XRef.cc:1210
#15 0x00007ffff7887344 in Object::fetch (this=<optimized out>, xref=<optimized out>, obj=obj@entry=0x6, recursion=recursion@entry=498) at Object.cc:122
#16 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>, key=key@entry=0x7ffff7b2ff67 "F", obj=0x6, obj@entry=0x7ffffffbcf80, recursion=recursion@entry=498) at Dict.cc:261
#17 0x00007ffff78ea34d in Object::dictLookup (this=0x7ffffffbd250, this=0x7ffffffbd250, recursion=498, obj=0x7ffffffbcf80, key=0x7ffff7b2ff67 "F") at Object.h:330
#18 Stream::addFilters (this=this@entry=0x74da30, dict=dict@entry=0x7ffffffbd250, recursion=recursion@entry=498) at Stream.cc:181
#19 0x00007ffff789dbbe in Parser::makeStream (this=this@entry=0x74d700, dict=dict@entry=0x7ffffffbd250, fileKey=fileKey@entry=0x0, encAlgorithm=encAlgorithm@entry=(cryptAES256 | unknown: 774974788), keyLength=keyLength@entry=-1020982732, objNum=objNum@entry=6, objGen=0, recursion=498, strict=false) at Parser.cc:277
#20 0x00007ffff789e8cc in Parser::getObj (this=this@entry=0x74d700, obj=obj@entry=0x7ffffffbd250, simpleOnly=simpleOnly@entry=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=keyLength@entry=-1020982732, objNum=6, objGen=0, recursion=497, strict=false) at Parser.cc:131
#21 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>, gen=<optimized out>, obj=0x7ffffffbd250, obj@entry=0x6, recursion=recursion@entry=497) at XRef.cc:1210
#22 0x00007ffff7887344 in Object::fetch (this=<optimized out>, xref=<optimized out>, obj=obj@entry=0x6, recursion=recursion@entry=497) at Object.cc:122
#23 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>, key=key@entry=0x7ffff7b15f2d "Length", obj=0x6, obj@entry=0x7ffffffbd250, recursion=recursion@entry=497) at Dict.cc:261
#24 0x00007ffff789d427 in Object::dictLookup (key=0x7ffff7b15f2d "Length", this=0x7ffffffbd450, this=0x7ffffffbd450, recursion=497, obj=0x7ffffffbd250) at Object.h:330

Comment 1 LE GARREC Vincent 2016-05-25 18:22:25 UTC

Created attachment 124088 [details]
infinity-loop-recursion.pdf

Comment 2 Albert Astals Cid 2016-05-25 22:38:06 UTC

It's not really infinite, it will eventually finish, even though it may take days, this is a problem with the recursion protection, in this very simple case it fails.

May need to rethink it if have time in the future.

Comment 3 GitLab Migration User 2018-08-20 21:32:50 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/2.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.