Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An infinite loop #117

Closed
bestshow opened this issue Jun 4, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@bestshow
Copy link

commented Jun 4, 2017

On qpdf version 6.0.0, I discovered an infinite loop.

#qpdf $FILE -
==10354== stack-overflow on address 0x7fffdaf46ef8 (pc 0x7fc995a7f020 bp 0x000000935760 sp 0x7fffdaf46e50 T0)
    #0 0x7fc995a7f01f in pcre_compile2 pcre_compile.c:7903
    #1 0x8adacb in PCRE::PCRE(char const*, int) /home/haojun/Downloads/qpdf-master/libqpdf/PCRE.cc:144:18
    #2 0x67d604 in QPDFTokenizer::resolveLiteral() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:62:10
    #3 0x6835cb in QPDFTokenizer::presentCharacter(char) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:432:9
    #4 0x688d3f in QPDFTokenizer::readToken(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:519:6
    #5 0x645545 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:873:23
    #6 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #7 0x63b73a in QPDFObjectHandle::parse(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:841:12
    #8 0x58a10c in QPDF::readObject(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1017:31
    #9 0x5a5fee in QPDF::readObjectAtOffset(bool, long long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, int&, int&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1393:27
    #10 0x5c104e in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1474:7
    #11 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #12 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #13 0x620300 in QPDFObjectHandle::isInteger() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:145:5
    #14 0x58c7f4 in QPDF::readObject(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1118:34
    #15 0x5a5fee in QPDF::readObjectAtOffset(bool, long long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, int&, int&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1393:27
    #16 0x5c104e in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1474:7
    #17 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #18 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #19 0x620300 in QPDFObjectHandle::isInteger() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:145:5
    #20 0x58c7f4 in QPDF::readObject(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1118:34
    #21 0x5a5fee in QPDF::readObjectAtOffset(bool, long long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, int&, int&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1393:27
    #22 0x5c104e in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1474:7
    #23 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #24 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #25 0x620300 in QPDFObjectHandle::isInteger() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:145:5
    #26 0x58c7f4 in QPDF::readObject(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1118:34
    #27 0x5a5fee in QPDF::readObjectAtOffset(bool, long long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, int&, int&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1393:27
   ....

testcase : https://github.com/bestshow/p0cs/blob/master/qpdf-infiniteloop_1
Credit : ADLab of Venustech

@carnil

This comment has been minimized.

Copy link

commented Jul 26, 2017

This is CVE-2017-11624

jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017

Include test for other infinite loop bugs
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.

jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017

Include test for other infinite loop bugs
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.