[jira] [Commented] (PDFBOX-5610) Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)

Sun, 28 May 2023 05:05:07 -0700 


    [ 
https://issues.apache.org/jira/browse/PDFBOX-5610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17726934#comment-17726934
 ] 

Michael Klink commented on PDFBOX-5610:
---------------------------------------

As long as PDFBox parsing is implemented by recursion with unlimited depths, it 
will remain possible to throw PDFs at it that will cause stack overflows.

The simplest option would be to catch stack overflows in {{parse}}.

> Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)
> --------------------------------------------------------------
>
>                 Key: PDFBOX-5610
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5610
>             Project: PDFBox
>          Issue Type: Bug
>            Reporter: Henry Lin
>            Priority: Major
>         Attachments: crashing_input
>
>
> Dear PDFBox maintainers,
>  
> Fuzzing has found a security related issue in 
> [OSS-Fuzz|https://github.com/google/oss-fuzz] with JVM Fuzzer 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] in PDFBox. We have 
> reviewed the finding and regarded it as security-related due to the potential 
> of a denial of service. We would appreciate it if you could take a look at 
> the finding. Do you see a risk that this might be exploited by untrusted 
> input?
>  
> Part of the stack trace:
> == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: 
> Stack overflow (use '-Xss921k' to reproduce)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> Caused by: java.lang.StackOverflowError
> at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:76)
> at org.apache.commons.logging.impl.Jdk14Logger.warn(Jdk14Logger.java:260)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:271)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> ...
>  
> We have added a reproducer zip which contains a README that describes how to 
> reproduce the issue.
> Reproducer Zip: 
> [https://drive.google.com/file/d/1CrVPoQhnTZ6FdAOr7tuny7vhG0gsnZZa/view?usp=share_link]
>  
> Fuzz target: 
> [https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java]
> OSS-Fuzz issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353 
> |https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353]
> Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is 
> fixed or you are the maintainer of the OSS-Fuzz project.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to