[
https://issues.apache.org/jira/browse/PDFBOX-6038?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tilman Hausherr updated PDFBOX-6038:
------------------------------------
Affects Version/s: 3.0.5 PDFBox
2.0.34
> Potential StackOverflow in PDFStreamParser
> ------------------------------------------
>
> Key: PDFBOX-6038
> URL: https://issues.apache.org/jira/browse/PDFBOX-6038
> Project: PDFBox
> Issue Type: Bug
> Components: Parsing
> Affects Versions: 2.0.34, 3.0.5 PDFBox, 4.0.0
> Reporter: David Justamante
> Priority: Minor
> Labels: patch
> Attachments: data.bin, patch.diff
>
>
> This issue is being *manually* filed by the competition organizers. We
> recognize there is a number of AI generated submissions as of late. We have
> gone through the manual process of bug/patch validation to prevent
> unnecessary "noise", respecting maintainers' time.
> This submission is being sent as part of DARPA's AIxCC competition.
> (https://aicyberchallenge.com) This issue was discovered by an autonomous
> Cyber Reasoning System (CRS) and validated by competition engineers. The
> patch was manually constructed by the competition engineers.
> BeginImage tags trigger recursion. If a stream has any number of {{BI}}
> greater than {{{}-Xss{}}}, then a StackOverflow is triggered.
> Triggering code:
> [https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java#L39]
> The patch sets an arbitrary max depth. We didn't spend the time to determine
> if any recursion is allowed within an inline image.
> (AIxCC Internal: CHA-1728)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
