Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1607186 - podofo 0.9.6 infinite recursion in PdfOutlineItem::PdfOutlineItem in PdfOutlines.cpp
Summary: podofo 0.9.6 infinite recursion in PdfOutlineItem::PdfOutlineItem in PdfOutli...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-23 00:14 UTC by r4xis
Modified: 2018-07-23 00:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
poc file - crash.pdf (deleted)
2018-07-23 00:14 UTC, r4xis
no flags Details

Description r4xis 2018-07-23 00:14:59 UTC
Created attachment 1469821 [details]
poc file - crash.pdf

Description of problem:
There is an stack overflow in the PoDoFo::PdfOutlineItem::PdfOutlineItem function of PdfOutlines.cpp:82. Remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted pdf file.

$ podofopdfinfo crash.pdf

Document Info
-------------
	File: crash.pdf
	PDF Version: 1.5
	Page Count: 0
	Page Size: 0 x 0 pts 

	Fast Web View Enabled: No
	Tagged: No
	Encrypted: No
	Printing Allowed: Yes
	Modification Allowed: Yes
	Copy&Paste Allowed: Yes
	Add/Modify Annotations Allowed: Yes
	Fill&Sign Allowed: Yes
	Accessibility Allowed: Yes
	Document Assembly Allowed: Yes
	High Quality Print Allowed: Yes

Classic Metadata
----------------
	Author: 
	Creator: 
	Subject: 
	Title: 
	Keywords: 
	Trapped: 

Page Info
---------
Page Count: 0
Outlines
--------
ASAN:DEADLYSIGNAL
=================================================================
==2281==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3246bff8 (pc 0x7f1f07ec8b8e bp 0x7ffc3246c8f0 sp 0x7ffc3246bff0 T0)
    #0 0x7f1f07ec8b8d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x28b8d)
    #1 0x7f1f07f7b31f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdb31f)
    #2 0x5653e910b42d in PoDoFo::PdfVariant::PdfVariant(PoDoFo::PdfDictionary const&) /root/podofo-0.9.6/src/base/PdfVariant.cpp:151
    #3 0x5653e90a0eb2 in PoDoFo::PdfObject::PdfObject(PoDoFo::PdfReference const&, char const*) /root/podofo-0.9.6/src/base/PdfObject.cpp:61
    #4 0x5653e9143173 in PoDoFo::PdfVecObjects::GetObject(PoDoFo::PdfReference const&) const /root/podofo-0.9.6/src/base/PdfVecObjects.cpp:151
    #5 0x5653e92d3e43 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #6 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #7 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #8 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #9 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #10 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #11 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #12 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #13 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #14 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #15 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #16 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #17 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #18 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #19 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #20 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
...
    #245 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #246 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #247 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #248 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #249 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82
    #250 0x5653e92d3e63 in PoDoFo::PdfOutlineItem::PdfOutlineItem(PoDoFo::PdfObject*, PoDoFo::PdfOutlineItem*, PoDoFo::PdfOutlineItem*) /root/podofo-0.9.6/src/doc/PdfOutlines.cpp:82

SUMMARY: AddressSanitizer: stack-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x28b8d) 
==2281==ABORTING


Version-Release number of selected component (if applicable):
podofo 0.9.6

How reproducible:


Steps to Reproduce:
1.podofopdfinfo crash.pdf
2.
3.


Note You need to log in before you can comment on or make changes to this bug.