pdfbox-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Henne (JIRA) <j...@apache.org>
Subject [jira] [Commented] (PDFBOX-4014) Malformed/pathological/malicious input can lead to infinite looping
Date Tue, 02 Jan 2018 23:46:00 GMT

    [ https://issues.apache.org/jira/browse/PDFBOX-4014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16308891#comment-16308891
] 

Jörg Henne commented on PDFBOX-4014:
------------------------------------

Sorry for taking so long to deal with this issue.

{quote}
I let it run and it was still working after a few minutes. I did check out the branch and
I made sure that this is that library that is being used. The extra part in SymbolDictionary
is hit once, the one in TextRegion never.
{quote}
Damn, I still had some debug code in place which masked the existence of a second problem
with the codestream, namely that it requests an unrealistically large number of symbols be
decoded for a text region, namely 2^31+1. However, it obviously doesn't make sense to have
such a huge number of symbols for an image of just 5000 pixels. 

I added a sanity check that limits the number of decoded symbol instances to the total number
of pixels in the image. The code emits a warning if it does so. Please note that the branch
name has been updated to omit the slashes, i.e. {{bugfix/PDFBOX-4014_Malformed_pathological_malicious_input_can_lead_to_infinite_looping}}

> Malformed/pathological/malicious input can lead to infinite looping
> -------------------------------------------------------------------
>
>                 Key: PDFBOX-4014
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-4014
>             Project: PDFBox
>          Issue Type: Bug
>          Components: JBIG2
>    Affects Versions: 3.0.0 JBIG2
>            Reporter: Jörg Henne
>            Assignee: Jörg Henne
>
> [~tilman] writes
> {quote}
> See this issue:
> https://bugs.chromium.org/p/chromium/issues/detail?id=450971
> look for "pdfium-loop2.pdf".
> I haven't created an issue, because this could be relevant to security.
> To reproduce the bug with PDFBox, do this:
>          PDDocument document = PDDocument.load(new 
> File("pdfium-loop2.pdf"));
>          new PDFRenderer(document).renderImage(0);
> For maven you need
> <dependency>
>      <groupId>org.apache.pdfbox</groupId>
>      <artifactId>pdfbox</artifactId>
>      <version>2.0.8</version>
> </dependency>
> and of course jbig2.
> {quote}
> An analysis shows that two circumstances contribute to the problem:
> # T.88 section E.2.10 specifies that MQ encoded data can be minimized if trailing data
contains "just boring stuff, i.e. 1-bits". Thus, an infinite sequence of MQ encoded decisions
can be encoded in a finite number of bytes.
> # T.88 section 6.4.5 3c specifies that the condition for terminating the decoding of
a text region strip is the occurrence of the OOB symbol as a symbol's S coordinate.
> If a JBIG2 stream contains a strip that uses #1 yielding a stream of S coordinates that
never contain OOB during the decoding phase for #2, an infinite loop results, as text region
decoding has no other terminating condition.
> The result is "just" a denial of service. No risk of buffer overruns etc. is associated
with the issue. 
> A similar issue exists with symbol dictionary decoding. However in this case decoding
will not enter an infinite loop due to an array index out of bounds exception that is thrown
once more symbols than expected have been decoded.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org


Mime
View raw message