New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack overflow / crash on malformed input in QPDFWriter::enqueueObject(QPDFObjectHandle) #143

Closed
hannob opened this Issue Aug 12, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@hannob

hannob commented Aug 12, 2017

The attached file will crash qpdf. It seems it's running into an endless recursion and thus a stack overflow.
Found with afl.

qpdf-stackoverflow.zip

==24283==ERROR: AddressSanitizer: stack-overflow on address 0x7ffda4d32f78 (pc 0x00000050ba42 bp 0x7ffda4d337c0 sp 0x7ffda4d32f60 T0)
    #0 0x50ba41 in operator new(unsigned long) (/r/qpdf/qpdf+0x50ba41)
    #1 0x62c243 in PointerHolder<QPDFObject>::PointerHolder(QPDFObject*) /f/qpdf/include/qpdf/PointerHolder.hh:74:17
    #2 0x62c243 in QPDFObjectHandle::QPDFObjectHandle(QPDF*, int, int) /f/qpdf/libqpdf/QPDFObjectHandle.cc:46
    #3 0x62c243 in QPDFObjectHandle::newIndirect(QPDF*, int, int) /f/qpdf/libqpdf/QPDFObjectHandle.cc:1183
    #4 0x5b73af in QPDFObjectHandle::Factory::newIndirect(QPDF*, int, int) /f/qpdf/include/qpdf/QPDFObjectHandle.hh:520:13
    #5 0x5b73af in QPDF::getObjectByID(int, int) /f/qpdf/libqpdf/QPDF.cc:1889
    #6 0x674910 in QPDFWriter::enqueueObject(QPDFObjectHandle) /f/qpdf/libqpdf/QPDFWriter.cc:1057:27
    #7 0x67491b in QPDFWriter::enqueueObject(QPDFObjectHandle) /f/qpdf/libqpdf/QPDFWriter.cc:1057:3
    #8 0x67491b in QPDFWriter::enqueueObject(QPDFObjectHandle) /f/qpdf/libqpdf/QPDFWriter.cc:1057:3

jberkenbilt added a commit to jberkenbilt/qpdf that referenced this issue Aug 12, 2017

@jberkenbilt

This comment has been minimized.

Show comment
Hide comment
@jberkenbilt

jberkenbilt Aug 12, 2017

Contributor

You're doing me a great service by finding all these cases. I hope you keep it up. I should be releasing 7.0.0 pretty soon. It would be great to fix as many of these as possible. I've coded a fix for this, but I need to do some extra code inspection to make sure my fix is good. It definitely doesn't break any existing tests, and the test suite is very thorough, and it also catches this problem, but I'm not sure it fully addresses the underlying issue, so I'll do more checking before I push to master.

Contributor

jberkenbilt commented Aug 12, 2017

You're doing me a great service by finding all these cases. I hope you keep it up. I should be releasing 7.0.0 pretty soon. It would be great to fix as many of these as possible. I've coded a fix for this, but I need to do some extra code inspection to make sure my fix is good. It definitely doesn't break any existing tests, and the test suite is very thorough, and it also catches this problem, but I'm not sure it fully addresses the underlying issue, so I'll do more checking before I push to master.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 14, 2018

This has been assigned CVE-2017-18183

ghost commented Feb 14, 2018

This has been assigned CVE-2017-18183

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment