Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite Loop in pdf.c #15

Closed
kinzhong opened this issue Dec 15, 2020 · 2 comments
Closed

Infinite Loop in pdf.c #15

kinzhong opened this issue Dec 15, 2020 · 2 comments

Comments

@kinzhong
Copy link

Based on commit 3a95b4f.

To recreate:

./pdfresurrect poc

Analysis:

Using GDB I was able to isolate and determine the function which causes the infinite loop. This stems to the function load_xref_from_plaintext (line 589) from pdf.c.

inf-loop-img

As seen in the image above, in each iteration, the filestream is advanced and data stored in the buf variable. This variable is then used and processed. Using the POC, once the buffer is loaded with "\000\377F%%EOF\000ref\r\n2714\r\n\377\000\000\000\000\000\000\000\000\000\000", the program is observed to skip the data as seen in if (strlen(buf) > 17). However, the lack of a check to terminate the program after reaching the end-of-file indicator of the filestream causes the loop to reuse the same buffer value, and this results in an infinite loop as seen in the picture.

poc.zip
@enferex
Copy link
Owner

enferex commented Dec 15, 2020

Thanks for finding this! I'll try to get a fix in, perhaps over the weekend.

@enferex
Copy link
Owner

enferex commented Dec 19, 2020

Fixed in af10865

Thanks for finding and isolating this!

@enferex enferex closed this as completed Dec 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@enferex @kinzhong