You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pdfbox.apache.org by "Jörg Henne (JIRA)" <ji...@apache.org> on 2017/11/16 12:21:00 UTC

[jira] [Created] (PDFBOX-4014) Malformed/pathological/malicious input can lead to infinite looping

Jörg Henne created PDFBOX-4014:
----------------------------------

             Summary: Malformed/pathological/malicious input can lead to infinite looping
                 Key: PDFBOX-4014
                 URL: https://issues.apache.org/jira/browse/PDFBOX-4014
             Project: PDFBox
          Issue Type: Bug
          Components: JBIG2
    Affects Versions: 3.0.0 JBIG2
            Reporter: Jörg Henne
            Assignee: Jörg Henne


[~tilman] writes
{quote}
See this issue:

https://bugs.chromium.org/p/chromium/issues/detail?id=450971

look for "pdfium-loop2.pdf".

I haven't created an issue, because this could be relevant to security.

To reproduce the bug with PDFBox, do this:

         PDDocument document = PDDocument.load(new 
File("pdfium-loop2.pdf"));
         new PDFRenderer(document).renderImage(0);


For maven you need

<dependency>
     <groupId>org.apache.pdfbox</groupId>
     <artifactId>pdfbox</artifactId>
     <version>2.0.8</version>
</dependency>

and of course jbig2.
{quote}

An analysis shows that two circumstances contribute to the problem:
# T.88 section E.2.10 specifies that MQ encoded data can be minimized if trailing data contains "just boring stuff, i.e. 1-bits". Thus, an infinite sequence of MQ encoded decisions can be encoded in a finite number of bytes.
# T.88 section 6.4.5 3c specifies that the condition for terminating the decoding of a text region strip is the occurrence of the OOB symbol as a symbol's S coordinate.

If a JBIG2 stream contains a strip that uses #1 yielding a stream of S coordinates that never contain OOB during the decoding phase for #2, an infinite loop results, as text region decoding has no other terminating condition.

The result is "just" a denial of service. No risk of buffer overruns etc. is associated with the issue. 

A similar issue exists with symbol dictionary decoding.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org