[
https://issues.apache.org/jira/browse/PDFBOX-5610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727618#comment-17727618
]
Michael Klink commented on PDFBOX-5610:
---------------------------------------
Catching it in {{parse}} _and discarding every result from the parsing process_
(by clearing caches and returning {{null}} or throwing a dedicated exception)
may well be save enough.
To really prevent the error from occurring, one could explicitly limit
recursion depth (not too difficult) or switch to a non-recursive parsing
mechanism (more difficult).
> Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)
> --------------------------------------------------------------
>
> Key: PDFBOX-5610
> URL: https://issues.apache.org/jira/browse/PDFBOX-5610
> Project: PDFBox
> Issue Type: Bug
> Reporter: Henry Lin
> Priority: Major
> Attachments: crashing_input
>
>
> Dear PDFBox maintainers,
>
> Fuzzing has found a security related issue in
> [OSS-Fuzz|https://github.com/google/oss-fuzz] with JVM Fuzzer
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] in PDFBox. We have
> reviewed the finding and regarded it as security-related due to the potential
> of a denial of service. We would appreciate it if you could take a look at
> the finding. Do you see a risk that this might be exploited by untrusted
> input?
>
> Part of the stack trace:
> == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow:
> Stack overflow (use '-Xss921k' to reproduce)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> Caused by: java.lang.StackOverflowError
> at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:76)
> at org.apache.commons.logging.impl.Jdk14Logger.warn(Jdk14Logger.java:260)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:271)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)
> at
> org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
> ...
>
> We have added a reproducer zip which contains a README that describes how to
> reproduce the issue.
> Reproducer Zip:
> [https://drive.google.com/file/d/1CrVPoQhnTZ6FdAOr7tuny7vhG0gsnZZa/view?usp=share_link]
>
> Fuzz target:
> [https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java]
> OSS-Fuzz issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353
> |https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353]
> Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is
> fixed or you are the maintainer of the OSS-Fuzz project.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
