Henry Lin created PDFBOX-5610:
---------------------------------
Summary: Security-Related Findings in OSS-Fuzz for PDFBox (Issue
58353)
Key: PDFBOX-5610
URL: https://issues.apache.org/jira/browse/PDFBOX-5610
Project: PDFBox
Issue Type: Bug
Reporter: Henry Lin
Dear PDFBox maintainers,
Fuzzing has found a security related issue in
[OSS-Fuzz|https://github.com/google/oss-fuzz] with JVM Fuzzer
[Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] in PDFBox. We have
reviewed the finding and regarded it as security-related due to the potential
of a denial of service. We would appreciate it if you could take a look at the
finding. Do you see a risk that this might be exploited by untrusted input?
Part of the stack trace:
== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow:
Stack overflow (use '-Xss921k' to reproduce)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
Caused by: java.lang.StackOverflowError
at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:76)
at org.apache.commons.logging.impl.Jdk14Logger.warn(Jdk14Logger.java:260)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:271)
at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
at
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
...
We have added a reproducer zip which contains a README that describes how to
reproduce the issue.
Reproducer Zip:
[https://drive.google.com/file/d/1CrVPoQhnTZ6FdAOr7tuny7vhG0gsnZZa/view?usp=share_link]
Fuzz target:
[https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java]
OSS-Fuzz issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353
|https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353]
Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is fixed
or you are the maintainer of the OSS-Fuzz project.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
