PoDoFo / Tickets / #130 [podofo-0.9.7]Stack-Overflow in src/base/PdfTokenizer.cpp

#130 [podofo-0.9.7]Stack-Overflow in src/base/PdfTokenizer.cpp

Milestone: SVN TRUNK

Status: open

Owner: nobody

Labels: securty (2) vuln (3)

Updated: 2021-04-14

Created: 2021-04-04

Creator: treebacker

Private: No

In source codesrc/base/PdfTokenizer.cpp，there is a Recursive call among three functions.

As below code shows:

void PdfTokenizer::ReadArray( PdfVariant& rVariant, PdfEncrypt* pEncrypt )
{
    for( ;; )
    {
        .....
        this->GetNextVariant( pszToken, eType, var, pEncrypt );// a -> b
        array.push_back( var );
    }

    rVariant = array;
}


void PdfTokenizer::GetNextVariant( const char* pszToken, EPdfTokenType eType, PdfVariant& rVariant, PdfEncrypt* pEncrypt )
{
    EPdfDataType eDataType = this->DetermineDataType( pszToken, eType, rVariant );
    .....
    this->ReadDataType( eDataType, rVariant, pEncrypt );        //b -> c
}

void PdfTokenizer::ReadDataType( EPdfDataType eDataType, PdfVariant& rVariant, PdfEncrypt* pEncrypt )
{
    switch( eDataType )
    {
         ...
        case ePdfDataType_Array:
            this->ReadArray( rVariant, pEncrypt );              //c -> a
            break;
     }
 ....
}

Above three functions make a Recursive call，with a crafted pdf, it will raise a stack overflow .

Crash state， run command : podofopdfinfo/podofopdfinfo bug2

The crafted file is attached.

1 Attachments

bug2

Discussion

Mattia Rizzolo - 2021-04-14

This is CVE-2021-30470

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

[podofo-0.9.7]Stack-Overflow in src/base/PdfTokenizer.cpp

A PDF parsing, modification and creation library.

Milestone

Searches

Help

#130 [podofo-0.9.7]Stack-Overflow in src/base/PdfTokenizer.cpp

Discussion