Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An infinite loop #118

Closed
bestshow opened this issue Jun 4, 2017 · 1 comment
Closed

An infinite loop #118

bestshow opened this issue Jun 4, 2017 · 1 comment
Labels
bug next

Comments

@bestshow
Copy link

bestshow commented Jun 4, 2017

On qpdf version 6.0.0, I discovered an infinite loop.

#qpdf $FILE -
==29487== stack-overflow on address 0x7fff5e6b1e38 (pc 0x0000005187d2 bp 0x7fff5e6b2680 sp 0x7fff5e6b1e10 T0)
    #0 0x5187d1 in operator new(unsigned long) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:82
    #1 0x65e604 in PointerHolder<QPDFObject>::PointerHolder(QPDFObject*, bool) /home/haojun/Downloads/qpdf-master/include/qpdf/PointerHolder.hh:75:17
    #2 0x65e604 in QPDFObjectHandle::QPDFObjectHandle(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:45
    #3 0x65e604 in QPDFObjectHandle::newIndirect(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1093
    #4 0x5c27bf in QPDFObjectHandle::Factory::newIndirect(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDFObjectHandle.hh:518:13
    #5 0x5c27bf in QPDF::getObjectByID(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1625
    #6 0x5c27bf in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1499
    #7 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #8 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #9 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #10 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
    #11 0x5c27ce in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1500:22
    #12 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #13 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #14 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #15 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
    #16 0x5c27ce in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1500:22
    #17 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #18 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #19 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #20 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
    ......

testcase : https://github.com/bestshow/p0cs/blob/master/qpdf-infiniteloop_2
Credit : ADLab of Venustech
@jberkenbilt jberkenbilt mentioned this issue Jul 26, 2017
Closed
@carnil
Copy link

carnil commented Jul 26, 2017

This is CVE-2017-11627

jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017
@jberkenbilt
Include test for other infinite loop bugs
2f56805 
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.
jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017
@jberkenbilt
Include test for other infinite loop bugs
97c9344 
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug next
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @jberkenbilt @bestshow