Infinite recursion at cairo-mesh-pattern-rasterizer.c:848
foca@salesforce.com
Submitted byAssigned to Chris Wilson @ickle
Link to original bug (#101550)
Description
Created attachment 132125 Proof of concept
Hi,
There is an infinite recursion in pdftocairo parsing the attached PoC1.pdf. As a result of the infinite (or very deep) recursion all the stack space is consumed and the application crashes.
The recursion happens at, cairo-mesh-pattern-rasterizer.c:848: 844 subc[2][i] = 0.5 * (c[0][i] + c[2][i]); 845 subc[3][i] = 0.5 * (c[1][i] + c[3][i]); 846 } 847 848 draw_bezier_patch (data, width, height, stride, first, subc); 849 850 for (i = 0; i < 4; ++i) { 851 subc[0][i] = subc[2][i]; 852 subc[1][i] = subc[3][i];
This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC1.pdf
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Attachment 132125, "Proof of concept":
PoC1.pdf