[jira] [Commented] (PDFBOX-5610) Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)

Tue, 30 May 2023 01:27:09 -0700 


    [ 
https://issues.apache.org/jira/browse/PDFBOX-5610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727394#comment-17727394
 ] 

Henry Lin commented on PDFBOX-5610:
-----------------------------------

Thank you for your confirmation! [~tilman] 

Thank you for your feedback! Depending on application it is really hard to 
recover from StackOverflowError. It is not like an exception and in general it 
is not recommended to be catched. [~mkl] 

> Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)
> --------------------------------------------------------------
>
>                 Key: PDFBOX-5610
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5610
>             Project: PDFBox
>          Issue Type: Bug
>            Reporter: Henry Lin
>            Priority: Major
>         Attachments: crashing_input
>
>
> Dear PDFBox maintainers,
>  
> Fuzzing has found a security related issue in 
> [OSS-Fuzz|https://github.com/google/oss-fuzz] with JVM Fuzzer 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] in PDFBox. We have 
> reviewed the finding and regarded it as security-related due to the potential 
> of a denial of service. We would appreciate it if you could take a look at 
> the finding. Do you see a risk that this might be exploited by untrusted 
> input?
>  
> Part of the stack trace:
> == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: 
> Stack overflow (use '-Xss921k' to reproduce)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> Caused by: java.lang.StackOverflowError
> at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:76)
> at org.apache.commons.logging.impl.Jdk14Logger.warn(Jdk14Logger.java:260)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:271)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at 
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> ...
>  
> We have added a reproducer zip which contains a README that describes how to 
> reproduce the issue.
> Reproducer Zip: 
> [https://drive.google.com/file/d/1CrVPoQhnTZ6FdAOr7tuny7vhG0gsnZZa/view?usp=share_link]
>  
> Fuzz target: 
> [https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java]
> OSS-Fuzz issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353 
> |https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353]
> Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is 
> fixed or you are the maintainer of the OSS-Fuzz project.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

Reply via email to