[
https://issues.apache.org/jira/browse/PDFBOX-4014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jörg Henne updated PDFBOX-4014:
-------------------------------
Description:
[~tilman] writes
{quote}
See this issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=450971
look for "pdfium-loop2.pdf".
I haven't created an issue, because this could be relevant to security.
To reproduce the bug with PDFBox, do this:
PDDocument document = PDDocument.load(new
File("pdfium-loop2.pdf"));
new PDFRenderer(document).renderImage(0);
For maven you need
<dependency>
<groupId>org.apache.pdfbox</groupId>
<artifactId>pdfbox</artifactId>
<version>2.0.8</version>
</dependency>
and of course jbig2.
{quote}
An analysis shows that two circumstances contribute to the problem:
# T.88 section E.2.10 specifies that MQ encoded data can be minimized if
trailing data contains "just boring stuff, i.e. 1-bits". Thus, an infinite
sequence of MQ encoded decisions can be encoded in a finite number of bytes.
# T.88 section 6.4.5 3c specifies that the condition for terminating the
decoding of a text region strip is the occurrence of the OOB symbol as a
symbol's S coordinate.
If a JBIG2 stream contains a strip that uses #1 yielding a stream of S
coordinates that never contain OOB during the decoding phase for #2, an
infinite loop results, as text region decoding has no other terminating
condition.
The result is "just" a denial of service. No risk of buffer overruns etc. is
associated with the issue.
A similar issue exists with symbol dictionary decoding. However in this case
decoding will not enter an infinite loop due to an array index out of bounds
exception that is thrown once more symbols than expected have been decoded.
was:
[~tilman] writes
{quote}
See this issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=450971
look for "pdfium-loop2.pdf".
I haven't created an issue, because this could be relevant to security.
To reproduce the bug with PDFBox, do this:
PDDocument document = PDDocument.load(new
File("pdfium-loop2.pdf"));
new PDFRenderer(document).renderImage(0);
For maven you need
<dependency>
<groupId>org.apache.pdfbox</groupId>
<artifactId>pdfbox</artifactId>
<version>2.0.8</version>
</dependency>
and of course jbig2.
{quote}
An analysis shows that two circumstances contribute to the problem:
# T.88 section E.2.10 specifies that MQ encoded data can be minimized if
trailing data contains "just boring stuff, i.e. 1-bits". Thus, an infinite
sequence of MQ encoded decisions can be encoded in a finite number of bytes.
# T.88 section 6.4.5 3c specifies that the condition for terminating the
decoding of a text region strip is the occurrence of the OOB symbol as a
symbol's S coordinate.
If a JBIG2 stream contains a strip that uses #1 yielding a stream of S
coordinates that never contain OOB during the decoding phase for #2, an
infinite loop results, as text region decoding has no other terminating
condition.
The result is "just" a denial of service. No risk of buffer overruns etc. is
associated with the issue.
A similar issue exists with symbol dictionary decoding.
> Malformed/pathological/malicious input can lead to infinite looping
> -------------------------------------------------------------------
>
> Key: PDFBOX-4014
> URL: https://issues.apache.org/jira/browse/PDFBOX-4014
> Project: PDFBox
> Issue Type: Bug
> Components: JBIG2
> Affects Versions: 3.0.0 JBIG2
> Reporter: Jörg Henne
> Assignee: Jörg Henne
>
> [~tilman] writes
> {quote}
> See this issue:
> https://bugs.chromium.org/p/chromium/issues/detail?id=450971
> look for "pdfium-loop2.pdf".
> I haven't created an issue, because this could be relevant to security.
> To reproduce the bug with PDFBox, do this:
> PDDocument document = PDDocument.load(new
> File("pdfium-loop2.pdf"));
> new PDFRenderer(document).renderImage(0);
> For maven you need
> <dependency>
> <groupId>org.apache.pdfbox</groupId>
> <artifactId>pdfbox</artifactId>
> <version>2.0.8</version>
> </dependency>
> and of course jbig2.
> {quote}
> An analysis shows that two circumstances contribute to the problem:
> # T.88 section E.2.10 specifies that MQ encoded data can be minimized if
> trailing data contains "just boring stuff, i.e. 1-bits". Thus, an infinite
> sequence of MQ encoded decisions can be encoded in a finite number of bytes.
> # T.88 section 6.4.5 3c specifies that the condition for terminating the
> decoding of a text region strip is the occurrence of the OOB symbol as a
> symbol's S coordinate.
> If a JBIG2 stream contains a strip that uses #1 yielding a stream of S
> coordinates that never contain OOB during the decoding phase for #2, an
> infinite loop results, as text region decoding has no other terminating
> condition.
> The result is "just" a denial of service. No risk of buffer overruns etc. is
> associated with the issue.
> A similar issue exists with symbol dictionary decoding. However in this case
> decoding will not enter an infinite loop due to an array index out of bounds
> exception that is thrown once more symbols than expected have been decoded.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
