Hi all, I'm using Podofo to analyze a PDF file but it's not being able to decode one stream that contain some JS code. I've attached the sample in question. Just be aware that the sample is a MALICIOUS PDF and it's encrypted with the password 'infected00'.
The problem raises when decoding stream 4, which has a chained filter encoding of type: /ASCIIHexDecode/LZWDecode/ASCII85Decode/RunLengthDecode/FlateDecode At first, I noticed that the decoding was failing when passing from the second filter decoding to the third one. The second filter was returning an empty decoded data which was then propagated as an empty stream. I've noticed that when decoding a filtered stream in podofo we do it on most filters byte by byte, so I changed that to decode the whole data at once, storing it in a temporary buffer and returning the whole decoded data when finishing decoding (PdfFilter::EndDecode()). This made it possible to have data being passed correctly between the filters but I then found an issue in the RunLenghtDecode filter, which is having issues when decoding and is returning invalid data. Until now I don't have a fix for that, so I thought it would be a good idea to ask the list some questions: Is there a reason why podofo decode data byte by byte? Does anybody faced this issue before and have a fix already done for it? Does anybody had this issue with RunLengthDecode? Best Regards, Dario
malicious_pdf.7z
Description: application/7z-compressed
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
