[
https://issues.apache.org/jira/browse/PDFBOX-4014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16308891#comment-16308891
]
Jörg Henne commented on PDFBOX-4014:
------------------------------------
Sorry for taking so long to deal with this issue.
{quote}
I let it run and it was still working after a few minutes. I did check out the
branch and I made sure that this is that library that is being used. The extra
part in SymbolDictionary is hit once, the one in TextRegion never.
{quote}
Damn, I still had some debug code in place which masked the existence of a
second problem with the codestream, namely that it requests an unrealistically
large number of symbols be decoded for a text region, namely 2^31+1. However,
it obviously doesn't make sense to have such a huge number of symbols for an
image of just 5000 pixels.
I added a sanity check that limits the number of decoded symbol instances to
the total number of pixels in the image. The code emits a warning if it does
so. Please note that the branch name has been updated to omit the slashes, i.e.
{{bugfix/PDFBOX-4014_Malformed_pathological_malicious_input_can_lead_to_infinite_looping}}
> Malformed/pathological/malicious input can lead to infinite looping
> -------------------------------------------------------------------
>
> Key: PDFBOX-4014
> URL: https://issues.apache.org/jira/browse/PDFBOX-4014
> Project: PDFBox
> Issue Type: Bug
> Components: JBIG2
> Affects Versions: 3.0.0 JBIG2
> Reporter: Jörg Henne
> Assignee: Jörg Henne
>
> [~tilman] writes
> {quote}
> See this issue:
> https://bugs.chromium.org/p/chromium/issues/detail?id=450971
> look for "pdfium-loop2.pdf".
> I haven't created an issue, because this could be relevant to security.
> To reproduce the bug with PDFBox, do this:
> PDDocument document = PDDocument.load(new
> File("pdfium-loop2.pdf"));
> new PDFRenderer(document).renderImage(0);
> For maven you need
> <dependency>
> <groupId>org.apache.pdfbox</groupId>
> <artifactId>pdfbox</artifactId>
> <version>2.0.8</version>
> </dependency>
> and of course jbig2.
> {quote}
> An analysis shows that two circumstances contribute to the problem:
> # T.88 section E.2.10 specifies that MQ encoded data can be minimized if
> trailing data contains "just boring stuff, i.e. 1-bits". Thus, an infinite
> sequence of MQ encoded decisions can be encoded in a finite number of bytes.
> # T.88 section 6.4.5 3c specifies that the condition for terminating the
> decoding of a text region strip is the occurrence of the OOB symbol as a
> symbol's S coordinate.
> If a JBIG2 stream contains a strip that uses #1 yielding a stream of S
> coordinates that never contain OOB during the decoding phase for #2, an
> infinite loop results, as text region decoding has no other terminating
> condition.
> The result is "just" a denial of service. No risk of buffer overruns etc. is
> associated with the issue.
> A similar issue exists with symbol dictionary decoding. However in this case
> decoding will not enter an infinite loop due to an array index out of bounds
> exception that is thrown once more symbols than expected have been decoded.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
