Created attachment 1386767 [details] poc for podofo excessive iteration issue On latest release version (0.9.5) and master branch of podofo: There is an Excessive Iteration in PdfParser::ReadObjectsInternal function of file, which could be triggered by the POC below. The issue happens since in PdfParser::ReadObjectsInternal function, there is a while loop (line 1053), whose iteration times could be manipulated by the input file. The POC file, which is only 98 bytes in size, could make the "m_nNumObjects" variable a huge value (i.e., 2100000041). It takes tens of minutes for podofo to handle this tiny POC file. 1046 void PdfParser::ReadObjectsInternal() 1047 { 1048 int i = 0; 1049 int nLast = 0; 1050 PdfParserObject* pObject = NULL; 1051 1052 // Read objects 1053 for( i=0; i < m_nNumObjects; i++ ) 1054 { ... } To trigger the issue, run: podofoimgextract $POC OUTPUT The backtrace is: (gdb) bt #0 0x000000000058a148 in std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>::operator+= (this=0x7fffffffcd40, __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_deque.h:216 #1 0x0000000000589bf9 in std::__advance<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=..., __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:156 #2 0x0000000000583c1f in std::advance<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=..., __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:177 #3 0x000000000057c88d in std::__equal_range<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference, __gnu_cxx::__ops::_Iter_comp_val<PoDoFo::ReferenceComparatorPredicate>, __gnu_cxx::__ops::_Val_comp_iter<PoDoFo::ReferenceComparatorPredicate> > (__first=..., __last=..., __val=..., __comp_it_val=..., __comp_val_it=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2140 #4 0x0000000000578346 in std::equal_range<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference, PoDoFo::ReferenceComparatorPredicate> (__first=..., __last=..., __val=..., __comp=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2237 #5 0x000000000056bef7 in PoDoFo::PdfVecObjects::AddFreeObject (this=0x7fffffffd890, rReference=...) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfVecObjects.cpp:256 #6 0x00000000007c7913 in PoDoFo::PdfParser::ReadObjectsInternal (this=0x61700000fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1156 #7 0x00000000007c395f in PoDoFo::PdfParser::ReadObjects (this=0x61700000fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1043 #8 0x00000000007a842c in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, rDevice=..., bLoadOnDemand=true) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:220 #9 0x00000000007a7a23 in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, pszFilename=0x7fffffffe12a "6.pdf", bLoadOnDemand=true) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:166 #10 0x0000000000645a00 in PoDoFo::PdfMemDocument::Load (this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf", bForUpdate=false) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:256 #11 0x000000000063f545 in PoDoFo::PdfMemDocument::PdfMemDocument (this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf", bForUpdate=false) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:102 #12 0x00000000004bd761 in ImageExtractor::Init (this=0x7fffffffdaa0, pszInput=0x7fffffffe12a "6.pdf", pszOutput=0x7fffffffe130 "/tmp/", pnNum=0x7fffffffda60) at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/ImageExtractor.cpp:51 #13 0x00000000004c5f5f in main (argc=3, argv=0x7fffffffddf8) at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/podofoimgextract.cpp:54
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.