Bug 1622951 - poppler: Infinite recursion in poppler/Parser.cc:Parser::getObj() function
Summary: poppler: Infinite recursion in poppler/Parser.cc:Parser::getObj() function
Keywords:
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-28 08:53 UTC by Krace
Modified: 2018-09-28 18:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
the poc file (48.13 KB, application/pdf)
2018-08-28 08:53 UTC, Krace
no flags Details

Description Krace 2018-08-28 08:53:26 UTC
Created attachment 1479179 [details]
the poc file

Description of problem:
In poppler 0.68.0.The Parser::getObj() function in poppler/Parser.cc may cause an inifinite recursion by a crafted poc file.A remote attacker can leaverage it to cause a dos attack.

Version-Release number of selected component (if applicable):
poppler 0.68.0

How reproducible:

just use the `pdftohtml` to reproduce
Steps to Reproduce:
1. ./pdftohtml poc.pdf
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Pedro Sampaio 2018-09-06 13:51:19 UTC
Hello Krace,

Can you share any more information on this issue?

Also, please report this upstream at:

https://gitlab.freedesktop.org/poppler/poppler/issues/new?issue

Comment 2 Krace 2018-09-18 11:33:27 UTC
(In reply to Pedro Sampaio from comment #1)
> Hello Krace,
> 
> Can you share any more information on this issue?
> 
> Also, please report this upstream at:
> 
> https://gitlab.freedesktop.org/poppler/poppler/issues/new?issue

I'm sorry to reply so late.
you can see the poc file to reproduce the problem,and I will report it to the  https://gitlab.freedesktop.org/poppler/poppler/issues/new?issue

Comment 3 Marek Kašík 2018-09-26 15:39:54 UTC
Hi,

I've prepared a patch fixing this issue. The issue is similar to the https://bugs.freedesktop.org/show_bug.cgi?id=96217 which was not fixed yet. The processing of the PDF is not infinite, it just takes a lot of time :).
The fix consists of detection of duplicated objects. See https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 for additional info.

Comment 4 Krace 2018-09-26 23:54:36 UTC
(In reply to Marek Kašík from comment #3)
> Hi,
> 
> I've prepared a patch fixing this issue. The issue is similar to the
> https://bugs.freedesktop.org/show_bug.cgi?id=96217 which was not fixed yet.
> The processing of the PDF is not infinite, it just takes a lot of time :).
> The fix consists of detection of duplicated objects. See
> https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 for
> additional info.

thanks for your patch,I happen to rethink the problem yesterday. :)


Note You need to log in before you can comment on or make changes to this bug.