[jira] [Created] (PDFBOX-5610) Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)

Henry Lin (Jira) Fri, 26 May 2023 12:46:06 -0700

Henry Lin created PDFBOX-5610:
---------------------------------

             Summary: Security-Related Findings in OSS-Fuzz for PDFBox (Issue 
58353)
                 Key: PDFBOX-5610
                 URL: https://issues.apache.org/jira/browse/PDFBOX-5610
             Project: PDFBox
          Issue Type: Bug
            Reporter: Henry Lin



Dear PDFBox maintainers,

 

Fuzzing has found a security related issue in 
[OSS-Fuzz|https://github.com/google/oss-fuzz] with JVM Fuzzer 
[Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] in PDFBox. We have 
reviewed the finding and regarded it as security-related due to the potential 
of a denial of service. We would appreciate it if you could take a look at the 
finding. Do you see a risk that this might be exploited by untrusted input?

 

Part of the stack trace:
== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: 
Stack overflow (use '-Xss921k' to reproduce)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)

at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)

Caused by: java.lang.StackOverflowError

at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:76)

at org.apache.commons.logging.impl.Jdk14Logger.warn(Jdk14Logger.java:260)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:271)

at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)

at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)

at 
org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
...

 

We have added a reproducer zip which contains a README that describes how to 
reproduce the issue.

Reproducer Zip: 
[https://drive.google.com/file/d/1CrVPoQhnTZ6FdAOr7tuny7vhG0gsnZZa/view?usp=share_link]

 

Fuzz target: 
[https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java]

OSS-Fuzz issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353 
|https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353]

Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is fixed 
or you are the maintainer of the OSS-Fuzz project.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

[jira] [Created] (PDFBOX-5610) Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)

Reply via email to