[podofo-0.9.7]Stack-Overflow in src/podofo/doc/PdfNamesTree.cpp

A PDF parsing, modification and creation library.

Brought to you by: domseichter

This project can now be found here.

#131 [podofo-0.9.7]Stack-Overflow in src/podofo/doc/PdfNamesTree.cpp

Milestone: SVN TRUNK

Status: open

Owner: nobody

Labels: security (37) vuln (3)

Updated: 2021-04-14

Created: 2021-04-04

Creator: treebacker

Private: No

In source code src/podofo/doc/PdfNamesTree.cpp:486.

Function PdfNamesTree::AddToDictionary has a recursve call .

void PdfNamesTree::AddToDictionary( PdfObject* pObj, PdfDictionary & rDict )
{
    if( pObj->GetDictionary().HasKey("Kids") )
    {
        const PdfArray & kids       = pObj->MustGetIndirectKey("Kids")->GetArray();
        PdfArray::const_iterator it = kids.begin();

        while( it != kids.end() )
        {
            PdfObject* pChild = this->GetObject()->GetOwner()->GetObject( (*it).GetReference() );
            if( pChild ) 
                this->AddToDictionary( pChild, rDict ); // Recursive here
            else
                PdfError::LogMessage( eLogSeverity_Debug, "Object %lu %lu is child of nametree but was not found!\n", 
                                      (*it).GetReference().ObjectNumber(), 
                                      (*it).GetReference().GenerationNumber() );

            ++it;
        }
    }
   ....

With crafted pdf file, it will raise a stack overflow.

In command line: podofopdfinfo/podofopdfinfo bug3

The crafted file is attached.

1 Attachments

bug3

Discussion

Mattia Rizzolo - 2021-04-14

This is CVE-2021-30471

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

[podofo-0.9.7]Stack-Overflow in src/podofo/doc/PdfNamesTree.cpp

A PDF parsing, modification and creation library.

Milestone

Searches

Help

#131 [podofo-0.9.7]Stack-Overflow in src/podofo/doc/PdfNamesTree.cpp

Discussion