Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An infinite loop #120

Closed
bestshow opened this issue Jun 4, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@bestshow
Copy link

commented Jun 4, 2017

On qpdf version 6.0.0, I discovered an infinite loop.

#qpdf $FILE -
==52056== stack-overflow on address 0x7ffc5d511de0 (pc 0x0000005c262c bp 0x7ffc5d512a30 sp 0x7ffc5d511de0 T0)
    #0 0x5c262b in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1497
    #1 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #2 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #3 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #4 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
    #5 0x5c27ce in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1500:22
    #6 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #7 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #8 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #9 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
    #10 0x5c27ce in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1500:22
    #11 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #12 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #13 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #14 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
    #15 0x5c27ce in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1500:22
    #16 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #17 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #18 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #19 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
    #20 0x5c27ce in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1500:22
    #21 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6
    #22 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19
    #23 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520
    #24 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5
   ......

testcase : https://github.com/bestshow/p0cs/blob/master/qpdf-infiniteloop_4
Credit : ADLab of Venustech

@jberkenbilt

This comment has been minimized.

Copy link
Contributor

commented Jul 26, 2017

After fixing #51, #99, #100, and #101, this file no longer causes an infinite loop. There is still work to make qpdf do the best it can on this and other broken files, but at least there is no more infinite loop. The fixes will be released in qpdf 7.x hopefully by the end of the summer. I will push to master before that.

#117, #118, and #119 are all addressed by the other fixes.

@bestshow

This comment has been minimized.

Copy link
Author

commented Jul 26, 2017

@jberkenbilt Ok,thanks a lot.

@carnil

This comment has been minimized.

Copy link

commented Jul 26, 2017

This is CVE-2017-11625

jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017

Include test for other infinite loop bugs
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.

jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Jul 26, 2017

Include test for other infinite loop bugs
fixes qpdf#117
fixes qpdf#118
fixes qpdf#119
fixes qpdf#120

Several other infinite loop bugs were fixed by previous changes.
Include their test files in the test suite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.