[jira] [Updated] (PDFBOX-5610) Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)

Fri, 26 May 2023 20:39:04 -0700 


     [ 
https://issues.apache.org/jira/browse/PDFBOX-5610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tilman Hausherr updated PDFBOX-5610:
------------------------------------
    Attachment: crashing_input

> Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)
> --------------------------------------------------------------
>
>                 Key: PDFBOX-5610
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5610
>             Project: PDFBox
>          Issue Type: Bug
>            Reporter: Henry Lin
>            Priority: Major
>         Attachments: crashing_input
>
>
> Dear PDFBox maintainers,
>  
> Fuzzing has found a security related issue in 
> [OSS-Fuzz|https://github.com/google/oss-fuzz] with JVM Fuzzer 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] in PDFBox. We have 
> reviewed the finding and regarded it as security-related due to the potential 
> of a denial of service. We would appreciate it if you could take a look at 
> the finding. Do you see a risk that this might be exploited by untrusted 
> input?
>  
> Part of the stack trace:
> == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: 
> Stack overflow (use '-Xss921k' to reproduce)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> Caused by: java.lang.StackOverflowError
> at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:76)
> at org.apache.commons.logging.impl.Jdk14Logger.warn(Jdk14Logger.java:260)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:271)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> ...
>  
> We have added a reproducer zip which contains a README that describes how to 
> reproduce the issue.
> Reproducer Zip: 
> [https://drive.google.com/file/d/1CrVPoQhnTZ6FdAOr7tuny7vhG0gsnZZa/view?usp=share_link]
>  
> Fuzz target: 
> [https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java]
> OSS-Fuzz issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353 
> |https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353]
> Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is 
> fixed or you are the maintainer of the OSS-Fuzz project.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

Reply via email to