Bug 1539237
| Summary: | Excessive Iteration in PdfParser::ReadObjectsInternal function (src/base/PdfParser.cpp) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | probefuzzer <probefuzzer> | ||||
| Component: | podofo | Assignee: | Dan HorĂ¡k <dan> | ||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | epel7 | CC: | dan, manisandro | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1386767 [details] poc for podofo excessive iteration issue On latest release version (0.9.5) and master branch of podofo: There is an Excessive Iteration in PdfParser::ReadObjectsInternal function of file, which could be triggered by the POC below. The issue happens since in PdfParser::ReadObjectsInternal function, there is a while loop (line 1053), whose iteration times could be manipulated by the input file. The POC file, which is only 98 bytes in size, could make the "m_nNumObjects" variable a huge value (i.e., 2100000041). It takes tens of minutes for podofo to handle this tiny POC file. 1046 void PdfParser::ReadObjectsInternal() 1047 { 1048 int i = 0; 1049 int nLast = 0; 1050 PdfParserObject* pObject = NULL; 1051 1052 // Read objects 1053 for( i=0; i < m_nNumObjects; i++ ) 1054 { ... } To trigger the issue, run: podofoimgextract $POC OUTPUT The backtrace is: (gdb) bt #0 0x000000000058a148 in std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>::operator+= (this=0x7fffffffcd40, __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_deque.h:216 #1 0x0000000000589bf9 in std::__advance<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=..., __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:156 #2 0x0000000000583c1f in std::advance<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=..., __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:177 #3 0x000000000057c88d in std::__equal_range<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference, __gnu_cxx::__ops::_Iter_comp_val<PoDoFo::ReferenceComparatorPredicate>, __gnu_cxx::__ops::_Val_comp_iter<PoDoFo::ReferenceComparatorPredicate> > (__first=..., __last=..., __val=..., __comp_it_val=..., __comp_val_it=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2140 #4 0x0000000000578346 in std::equal_range<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference, PoDoFo::ReferenceComparatorPredicate> (__first=..., __last=..., __val=..., __comp=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2237 #5 0x000000000056bef7 in PoDoFo::PdfVecObjects::AddFreeObject (this=0x7fffffffd890, rReference=...) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfVecObjects.cpp:256 #6 0x00000000007c7913 in PoDoFo::PdfParser::ReadObjectsInternal (this=0x61700000fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1156 #7 0x00000000007c395f in PoDoFo::PdfParser::ReadObjects (this=0x61700000fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1043 #8 0x00000000007a842c in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, rDevice=..., bLoadOnDemand=true) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:220 #9 0x00000000007a7a23 in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, pszFilename=0x7fffffffe12a "6.pdf", bLoadOnDemand=true) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:166 #10 0x0000000000645a00 in PoDoFo::PdfMemDocument::Load (this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf", bForUpdate=false) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:256 #11 0x000000000063f545 in PoDoFo::PdfMemDocument::PdfMemDocument (this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf", bForUpdate=false) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:102 #12 0x00000000004bd761 in ImageExtractor::Init (this=0x7fffffffdaa0, pszInput=0x7fffffffe12a "6.pdf", pszOutput=0x7fffffffe130 "/tmp/", pnNum=0x7fffffffda60) at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/ImageExtractor.cpp:51 #13 0x00000000004c5f5f in main (argc=3, argv=0x7fffffffddf8) at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/podofoimgextract.cpp:54