Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infinite loop in function get_xref_linear_skipped in pdf.c #17

Closed
chibataiki opened this issue Apr 16, 2021 · 2 comments
Closed

Infinite loop in function get_xref_linear_skipped in pdf.c #17

chibataiki opened this issue Apr 16, 2021 · 2 comments

Comments

@chibataiki
Copy link

chibataiki commented Apr 16, 2021

Hi,
I found an infinite loop in function get_xref_linear_skipped in pdf.c

env:
version: v0.22b commit af10865
OS: ubuntu 20.04

If found 'trailer' ,then look backwards for 'xref'. But if there isn't character 'x' backward, the function get_xref_linear_skipped will go into an infinite loop.

─── source:pdf.c+729 ────
    724        return;
    725
    726      /* If we found 'trailer' look backwards for 'xref' */
    727      ch = 0;
    728      while (SAFE_F(fp, ((ch = fgetc(fp)) != 'x')))
               // fp=0x0000ffffffffeea8  →  [...]  →  0x00000000fbad2488
 →  729        fseek(fp, -2, SEEK_CUR);
    730
    731      if (ch == 'x')
    732      {
    733          xref->start = ftell(fp) - 1;
    734          fseek(fp, -1, SEEK_CUR);
─────────────────────────────────────────────

poc(zipped ):
pdfresurrect_hang_1.zip

To reproduct:

./pdfresurrect [poc]

reporter: chiba of Topsec alphaLab

@enferex
Copy link
Owner

enferex commented Apr 19, 2021

Thanks! I have been able to reproduce this and have a potential fix.

@enferex
Copy link
Owner

enferex commented Apr 19, 2021

Should be fixed in 7e35d18

@enferex enferex closed this as completed Apr 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants