PdfParser.cpp)

Probe Fuzzer Wed, 31 Jan 2018 18:44:41 -0800

On latest release version (0.9.5) and master branch of podofo:
There is an Excessive Iteration in PdfParser::ReadObjectsInternal
function of file, which could be triggered by the POC below.


The issue happens since in PdfParser::ReadObjectsInternal function,
there is a while loop (line 1053), whose iteration times could be
manipulated by the input file. The POC file, which is only 98 bytes in
size, could make the "m_nNumObjects" variable a huge value (i.e.,
2100000041). It takes tens of minutes for podofo to handle this tiny
POC file.


   1046 void PdfParser::ReadObjectsInternal()
   1047 {
   1048     int              i            = 0;
   1049     int              nLast        = 0;
   1050     PdfParserObject* pObject      = NULL;
   1051
   1052     // Read objects
   1053     for( i=0; i < m_nNumObjects; i++ )
   1054     {
            ...
            }

To trigger the issue, run: podofoimgextract $POC OUTPUT

The POC file could be downloaded at:
https://bugzilla.redhat.com/show_bug.cgi?id=1539237


 The backtrace is:
(gdb) bt
#0  0x000000000058a148 in std::_Deque_iterator<PoDoFo::PdfReference,
PoDoFo::PdfReference&, PoDoFo::PdfReference*>::operator+=
(this=0x7fffffffcd40, __n=449699)
    at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_deque.h:216
#1  0x0000000000589bf9 in
std::__advance<std::_Deque_iterator<PoDoFo::PdfReference,
PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=...,
__n=449699)
    at 
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:156
#2  0x0000000000583c1f in
std::advance<std::_Deque_iterator<PoDoFo::PdfReference,
PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=...,
__n=449699)
    at 
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:177
#3  0x000000000057c88d in
std::__equal_range<std::_Deque_iterator<PoDoFo::PdfReference,
PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference,
__gnu_cxx::__ops::_Iter_comp_val<PoDoFo::ReferenceComparatorPredicate>,
__gnu_cxx::__ops::_Val_comp_iter<PoDoFo::ReferenceComparatorPredicate>
> (__first=..., __last=..., __val=...,
    __comp_it_val=..., __comp_val_it=...) at
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2140
#4  0x0000000000578346 in
std::equal_range<std::_Deque_iterator<PoDoFo::PdfReference,
PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference,
PoDoFo::ReferenceComparatorPredicate> (__first=..., __last=...,
__val=..., __comp=...) at
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2237
#5  0x000000000056bef7 in PoDoFo::PdfVecObjects::AddFreeObject
(this=0x7fffffffd890, rReference=...)
    at 
/u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfVecObjects.cpp:256
#6  0x00000000007c7913 in PoDoFo::PdfParser::ReadObjectsInternal
(this=0x61700000fc80) at
/u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1156
#7  0x00000000007c395f in PoDoFo::PdfParser::ReadObjects
(this=0x61700000fc80) at
/u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1043
#8  0x00000000007a842c in PoDoFo::PdfParser::ParseFile
(this=0x61700000fc80, rDevice=..., bLoadOnDemand=true)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:220
#9  0x00000000007a7a23 in PoDoFo::PdfParser::ParseFile
(this=0x61700000fc80, pszFilename=0x7fffffffe12a "6.pdf",
bLoadOnDemand=true)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:166
#10 0x0000000000645a00 in PoDoFo::PdfMemDocument::Load
(this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf",
bForUpdate=false)
    at 
/u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:256
#11 0x000000000063f545 in PoDoFo::PdfMemDocument::PdfMemDocument
(this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf",
bForUpdate=false)
    at 
/u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:102
#12 0x00000000004bd761 in ImageExtractor::Init (this=0x7fffffffdaa0,
pszInput=0x7fffffffe12a "6.pdf", pszOutput=0x7fffffffe130 "/tmp/",
pnNum=0x7fffffffda60)
    at 
/u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/ImageExtractor.cpp:51
#13 0x00000000004c5f5f in main (argc=3, argv=0x7fffffffddf8) at
/u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/podofoimgextract.cpp:54

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Excessive Iteration in PdfParser::ReadObjectsInternal function (src/base/PdfParser.cpp)

Reply via email to