Bug 1539237 - Excessive Iteration in PdfParser::ReadObjectsInternal function (src/base/PdfParser.cpp)
Summary: Excessive Iteration in PdfParser::ReadObjectsInternal function (src/base/PdfP...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-27 02:54 UTC by probefuzzer
Modified: 2018-01-27 02:54 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
poc for podofo excessive iteration issue (98 bytes, application/pdf)
2018-01-27 02:54 UTC, probefuzzer
no flags Details

Description probefuzzer 2018-01-27 02:54:33 UTC
Created attachment 1386767 [details]
poc for podofo excessive iteration issue

On latest release version (0.9.5) and master branch of podofo:
There is an Excessive Iteration in PdfParser::ReadObjectsInternal function of file, which could be triggered by the POC below.

The issue happens since in PdfParser::ReadObjectsInternal function, there is a while loop (line 1053), whose iteration times could be manipulated by the input file. The POC file, which is only 98 bytes in size, could make the "m_nNumObjects" variable a huge value (i.e., 2100000041). It takes tens of minutes for podofo to handle this tiny POC file. 


   1046 void PdfParser::ReadObjectsInternal() 
   1047 {
   1048     int              i            = 0;
   1049     int              nLast        = 0;
   1050     PdfParserObject* pObject      = NULL;
   1051 
   1052     // Read objects
   1053     for( i=0; i < m_nNumObjects; i++ )
   1054     {
            ...
            }

To trigger the issue, run: podofoimgextract $POC OUTPUT

The backtrace is:
(gdb) bt
#0  0x000000000058a148 in std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>::operator+= (this=0x7fffffffcd40, __n=449699)
    at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_deque.h:216
#1  0x0000000000589bf9 in std::__advance<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=..., __n=449699)
    at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:156
#2  0x0000000000583c1f in std::advance<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, long> (__i=..., __n=449699)
    at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:177
#3  0x000000000057c88d in std::__equal_range<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference, __gnu_cxx::__ops::_Iter_comp_val<PoDoFo::ReferenceComparatorPredicate>, __gnu_cxx::__ops::_Val_comp_iter<PoDoFo::ReferenceComparatorPredicate> > (__first=..., __last=..., __val=..., 
    __comp_it_val=..., __comp_val_it=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2140
#4  0x0000000000578346 in std::equal_range<std::_Deque_iterator<PoDoFo::PdfReference, PoDoFo::PdfReference&, PoDoFo::PdfReference*>, PoDoFo::PdfReference, PoDoFo::ReferenceComparatorPredicate> (__first=..., __last=..., __val=..., __comp=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2237
#5  0x000000000056bef7 in PoDoFo::PdfVecObjects::AddFreeObject (this=0x7fffffffd890, rReference=...)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfVecObjects.cpp:256
#6  0x00000000007c7913 in PoDoFo::PdfParser::ReadObjectsInternal (this=0x61700000fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1156
#7  0x00000000007c395f in PoDoFo::PdfParser::ReadObjects (this=0x61700000fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1043
#8  0x00000000007a842c in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, rDevice=..., bLoadOnDemand=true)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:220
#9  0x00000000007a7a23 in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, pszFilename=0x7fffffffe12a "6.pdf", bLoadOnDemand=true)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:166
#10 0x0000000000645a00 in PoDoFo::PdfMemDocument::Load (this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf", bForUpdate=false)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:256
#11 0x000000000063f545 in PoDoFo::PdfMemDocument::PdfMemDocument (this=0x7fffffffd810, pszFilename=0x7fffffffe12a "6.pdf", bForUpdate=false)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:102
#12 0x00000000004bd761 in ImageExtractor::Init (this=0x7fffffffdaa0, pszInput=0x7fffffffe12a "6.pdf", pszOutput=0x7fffffffe130 "/tmp/", pnNum=0x7fffffffda60)
    at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/ImageExtractor.cpp:51
#13 0x00000000004c5f5f in main (argc=3, argv=0x7fffffffddf8) at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/podofoimgextract.cpp:54


Note You need to log in before you can comment on or make changes to this bug.