You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using GDB I was able to isolate and determine the function which causes the infinite loop. This stems to the function load_xref_from_plaintext (line 589) from pdf.c.
As seen in the image above, in each iteration, the filestream is advanced and data stored in the buf variable. This variable is then used and processed. Using the POC, once the buffer is loaded with "\000\377F%%EOF\000ref\r\n2714\r\n\377\000\000\000\000\000\000\000\000\000\000", the program is observed to skip the data as seen in if (strlen(buf) > 17). However, the lack of a check to terminate the program after reaching the end-of-file indicator of the filestream causes the loop to reuse the same buffer value, and this results in an infinite loop as seen in the picture.
Based on commit 3a95b4f.
To recreate:
./pdfresurrect poc
Analysis:
Using GDB I was able to isolate and determine the function which causes the infinite loop. This stems to the function load_xref_from_plaintext (line 589) from pdf.c.
As seen in the image above, in each iteration, the filestream is advanced and data stored in the buf variable. This variable is then used and processed. Using the POC, once the buffer is loaded with "\000\377F%%EOF\000ref\r\n2714\r\n\377\000\000\000\000\000\000\000\000\000\000", the program is observed to skip the data as seen in if (strlen(buf) > 17). However, the lack of a check to terminate the program after reaching the end-of-file indicator of the filestream causes the loop to reuse the same buffer value, and this results in an infinite loop as seen in the picture.
poc.zip
The text was updated successfully, but these errors were encountered: