pdfbox-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Henne (JIRA) <j...@apache.org>
Subject [jira] [Commented] (PDFBOX-4014) Malformed/pathological/malicious input can lead to infinite looping
Date Mon, 15 Jan 2018 08:23:00 GMT

    [ https://issues.apache.org/jira/browse/PDFBOX-4014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16325992#comment-16325992
] 

Jörg Henne commented on PDFBOX-4014:
------------------------------------

{quote}
Please don't forget to mention the related JIRA-ticket in the commit comment to trigger the
git-JIRA-integration
{quote}

Oh, so the trigger doesn't pick up any commit to a branch tagged with the issue-ID alone?
I'll try to think of that :)

{quote}

That's sufficient. An ICLA is needed only for substantial additions, a simple sample pdf doesn't
qualify for that

{quote}

Brilliant. I'll proceed to merge the branch. 

 

What are your thoughts on changelog management? The project currently has [release-notes.md|https://git-wip-us.apache.org/repos/asf?p=pdfbox-jbig2.git;a=blob_plain;f=release-notes.md;hb=HEAD],
but this is't aligned with the upstream [RELEASE-NOTES.txt|https://svn.apache.org/repos/asf/pdfbox/trunk/RELEASE-NOTES.txt].

 

> Malformed/pathological/malicious input can lead to infinite looping
> -------------------------------------------------------------------
>
>                 Key: PDFBOX-4014
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-4014
>             Project: PDFBox
>          Issue Type: Bug
>          Components: JBIG2
>    Affects Versions: 3.0.0 JBIG2
>            Reporter: Jörg Henne
>            Assignee: Jörg Henne
>            Priority: Major
>
> [~tilman] writes
> {quote}
> See this issue:
> https://bugs.chromium.org/p/chromium/issues/detail?id=450971
> look for "pdfium-loop2.pdf".
> I haven't created an issue, because this could be relevant to security.
> To reproduce the bug with PDFBox, do this:
>          PDDocument document = PDDocument.load(new 
> File("pdfium-loop2.pdf"));
>          new PDFRenderer(document).renderImage(0);
> For maven you need
> <dependency>
>      <groupId>org.apache.pdfbox</groupId>
>      <artifactId>pdfbox</artifactId>
>      <version>2.0.8</version>
> </dependency>
> and of course jbig2.
> {quote}
> An analysis shows that two circumstances contribute to the problem:
> # T.88 section E.2.10 specifies that MQ encoded data can be minimized if trailing data
contains "just boring stuff, i.e. 1-bits". Thus, an infinite sequence of MQ encoded decisions
can be encoded in a finite number of bytes.
> # T.88 section 6.4.5 3c specifies that the condition for terminating the decoding of
a text region strip is the occurrence of the OOB symbol as a symbol's S coordinate.
> If a JBIG2 stream contains a strip that uses #1 yielding a stream of S coordinates that
never contain OOB during the decoding phase for #2, an infinite loop results, as text region
decoding has no other terminating condition.
> The result is "just" a denial of service. No risk of buffer overruns etc. is associated
with the issue. 
> A similar issue exists with symbol dictionary decoding. However in this case decoding
will not enter an infinite loop due to an array index out of bounds exception that is thrown
once more symbols than expected have been decoded.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org


Mime
View raw message