Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An infinite loop #119

Closed
bestshow opened this issue Jun 4, 2017 · 1 comment
Closed

An infinite loop #119

bestshow opened this issue Jun 4, 2017 · 1 comment
Labels
bug next

Comments

@bestshow
Copy link

bestshow commented Jun 4, 2017

On qpdf version 6.0.0, I discovered an infinite loop.

#qpdf $FILE -
==40517== stack-overflow on address 0x7ffd3e389d38 (pc 0x00000046b469 bp 0x7ffd3e38a5c0 sp 0x7ffd3e389d40 T0)
    #0 0x46b468 in memmove /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:679
    #1 0x7f866291704d  /usr/include/bits/string3.h:57
    #2 0x7f866291704d  pcre_compile.c:3918
    #3 0x7f866291704d  pcre_compile.c:7273
    #4 0x7f8662916e25  pcre_compile.c:6635
    #5 0x7f8662916e25  pcre_compile.c:7273
    #6 0x7f8662916e25  pcre_compile.c:6635
    #7 0x7f8662916e25  pcre_compile.c:7273
    #8 0x7f866291c5c5 in pcre_compile2 pcre_compile.c:8131
    #9 0x8adacb in PCRE::PCRE(char const*, int) /home/haojun/Downloads/qpdf-master/libqpdf/PCRE.cc:144:18
    #10 0x67d604 in QPDFTokenizer::resolveLiteral() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:62:10
    #11 0x6835cb in QPDFTokenizer::presentCharacter(char) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:432:9
    #12 0x688d3f in QPDFTokenizer::readToken(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:519:6
    #13 0x645545 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:873:23
    #14 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #15 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #16 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #17 0x63b73a in QPDFObjectHandle::parse(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:841:12
    #18 0x58a10c in QPDF::readObject(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1017:31
    #19 0x5a5fee in QPDF::readObjectAtOffset(bool, long long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, int&, int&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1393:27
    #20 0x5c104e in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1474:7
    #21 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #22 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #23 0x64f57d in QPDFObjectHandle::isName() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:184:5
    #24 0x64f57d in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1074
    #25 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #26 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #27 0x63b73a in QPDFObjectHandle::parse(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:841:12
    #28 0x58a10c in QPDF::readObject(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1017:31
    #29 0x5a5fee in QPDF::readObjectAtOffset(bool, long long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, int&, int&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1393:27
    #30 0x5c104e in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1474:7
    #31 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #32 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #33 0x64f57d in QPDFObjectHandle::isName() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:184:5
    #34 0x64f57d in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1074
    #35 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #36 0x646a79 in QPDFObjectHandle::parseInternal(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:939:15
    #37 0x63b73a in QPDFObjectHandle::parse(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:841:12
    #38 0x58a10c in QPDF::readObject(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1017:31
    #39 0x5a5fee in QPDF::readObjectAtOffset(bool, long long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, int&, int&) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1393:27
    ......

testcase : https://github.com/bestshow/p0cs/blob/master/qpdf-infiniteloop_3
Credit : ADLab of Venustech
@jberkenbilt jberkenbilt mentioned this issue Jul 26, 2017
Closed
@carnil
Copy link

carnil commented Jul 26, 2017

This is CVE-2017-11626

jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017
@jberkenbilt
Include test for other infinite loop bugs
2f56805 
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.
jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017
@jberkenbilt
Include test for other infinite loop bugs
97c9344 
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug next
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @jberkenbilt @bestshow