David Justamante created PDFBOX-6038:
----------------------------------------
Summary: Potential StackOverflow in PDFStreamParser
Key: PDFBOX-6038
URL: https://issues.apache.org/jira/browse/PDFBOX-6038
Project: PDFBox
Issue Type: Bug
Components: Parsing
Affects Versions: 4.0.0
Reporter: David Justamante
Attachments: data.bin, patch.diff
This issue is being *manually* filed by the competition organizers. We
recognize there is a number of AI generated submissions as of late. We have
gone through the manual process of bug/patch validation to prevent unnecessary
"noise", respecting maintainers' time.
This submission is being sent as part of DARPA's AIxCC competition.
(https://aicyberchallenge.com) This issue was discovered by an autonomous Cyber
Reasoning System (CRS) and validated by competition engineers. The patch was
manually constructed by the competition engineers.
BeginImage tags trigger recursion. If a stream has any number of {{BI}} greater
than {{{}-Xss{}}}, then a StackOverflow is triggered.
Triggering code:
[https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java#L39]
The patch sets an arbitrary max depth. We didn't spend the time to determine if
any recursion is allowed within an inline image.
(AIxCC Internal: CHA-1728)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
