Jörg Henne created PDFBOX-4014:
----------------------------------
Summary: Malformed/pathological/malicious input can lead to
infinite looping
Key: PDFBOX-4014
URL: https://issues.apache.org/jira/browse/PDFBOX-4014
Project: PDFBox
Issue Type: Bug
Components: JBIG2
Affects Versions: 3.0.0 JBIG2
Reporter: Jörg Henne
Assignee: Jörg Henne
[~tilman] writes
{quote}
See this issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=450971
look for "pdfium-loop2.pdf".
I haven't created an issue, because this could be relevant to security.
To reproduce the bug with PDFBox, do this:
PDDocument document = PDDocument.load(new
File("pdfium-loop2.pdf"));
new PDFRenderer(document).renderImage(0);
For maven you need
<dependency>
<groupId>org.apache.pdfbox</groupId>
<artifactId>pdfbox</artifactId>
<version>2.0.8</version>
</dependency>
and of course jbig2.
{quote}
An analysis shows that two circumstances contribute to the problem:
# T.88 section E.2.10 specifies that MQ encoded data can be minimized if
trailing data contains "just boring stuff, i.e. 1-bits". Thus, an infinite
sequence of MQ encoded decisions can be encoded in a finite number of bytes.
# T.88 section 6.4.5 3c specifies that the condition for terminating the
decoding of a text region strip is the occurrence of the OOB symbol as a
symbol's S coordinate.
If a JBIG2 stream contains a strip that uses #1 yielding a stream of S
coordinates that never contain OOB during the decoding phase for #2, an
infinite loop results, as text region decoding has no other terminating
condition.
The result is "just" a denial of service. No risk of buffer overruns etc. is
associated with the issue.
A similar issue exists with symbol dictionary decoding.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
