Stack exhaustion in Gfx.cc
foca@salesforce.com
Submitted byAssigned to poppler-bugs
Link to original bug (#101551)
Description
Created attachment 132126 Proof of concept
Hi,
There is an infinite recursion in pdftocairo parsing the attached PoC2.pdf. As a result of the infinite (or very deep) recursion all the stack space is consumed and the application crashes.
The recursion happens when the following functions are called over and over again in my case the backtrace had ~32k calls:
#31040 0x00000000004373cb in Gfx::drawForm (this=0x94c770, str=0x94df98, resDict=0x0, matrix=0x7fffffffd5f0, bbox=0x94df28, transpGroup=false, softMask=false, blendingColorSpace=0x0, isolated=false, knockout=false, alpha=false, transferFunc=0x0, backdropColor=0x0) at Gfx.cc:4979
#31041 0x00000000004274f5 in Gfx::doTilingPatternFill (this=0x94c770, tPat=0x94df10, stroke=false, eoFill=true, text=false) at Gfx.cc:2309
#31042 0x0000000000425ae5 in Gfx::doPatternFill (this=0x94c770, eoFill=true) at Gfx.cc:2025
#31043 0x000000000042551e in Gfx::opEOFill (this=0x94c770, args=0x7fffffffd860, numArgs=0) at Gfx.cc:1911
#31044 0x0000000000420708 in Gfx::execOp (this=0x94c770, cmd=0x7fffffffd850, args=0x7fffffffd860, numArgs=0) at Gfx.cc:909
#31045 0x000000000041ff6e in Gfx::go (this=0x94c770, topLevel=true) at Gfx.cc:767
#31046 0x000000000041fd3d in Gfx::display (this=0x94c770, obj=0x7fffffffdbb0, topLevel=true) at Gfx.cc:729
This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC2.pdf
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Attachment 132126, "Proof of concept":
PoC2.pdf