New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2017



Sign in to add a comment

xref loop references cause denial of service

Reported by ha...@hboeck.de, Aug 24 2017

Issue description

6 years ago Andreas Bogk pointed out that with xref's in PDF files you can create a loop that will hang evince. It turns out that the very same bug is affecting the chrome internal PDF reader.

The sample file has been published here:
https://github.com/andreas23/pdfparser/blob/master/tests/loop_edited.pdf
(I'm also attaching it.)

Opening this file in Chrome causes the PDF viewer component to hang and Chrome will use a lot of CPU power. Notably the CPU usage will not go down if you just close the tab with the affected file - you have to close the whole browser. Thus it's a powerful browser DoS.

What steps will reproduce the problem?
1. Download loop_edited.pdf
2. Open it in Chrome
3. PDF component hangs, high CPU load.

What is the expected output? What do you see instead?
pdfium should note the loop and stop trying to render that file.

What version of the product are you using? On what operating system?
Chrome 60.0.3112.101, Gentoo Linux
 
loop_edited.pdf
1.6 KB Download
Project Member

Comment 1 by thestig@chromium.org, Aug 28 2017

I tested with Chrome 62 here, and the attached file just fails to load. We may have recently did something about this?
Project Member

Comment 2 by thestig@chromium.org, Aug 28 2017

Actually Chrome 60 rejects the attached PDF as well here as well.
Project Member

Comment 3 by thestig@chromium.org, Aug 30 2017

Status: Accepted (was: New)
Seems to reproduce on Windows for me. Not sure why it doesn't repro on Linux here.
Project Member

Comment 4 by thestig@chromium.org, Aug 31 2017

... and that's because I was testing it wrong. Now I can reproduce it on Linux in the Chrome PDF Viewer as well. However, pdfium_test doesn't infinite loop.


Project Member

Comment 5 by thestig@chromium.org, Aug 31 2017

The Chrome PDF Viewer makes a FPDFAvail_IsDocAvail() call for non-linearized PDFs for  https://crbug.com/613704  and pdfium_test does not. That's the function it hangs in, so adding that to pdfium_test makes the bug repro.
Project Member

Comment 6 by thestig@chromium.org, Aug 31 2017

Owner: thestig@chromium.org
Status: Started (was: Accepted)
It turns out PDFium already has a test case for the same issue with bug_xrefv4_loop.pdf, but its test didn't call FPDFAvail_IsDocAvail() to trigger this issue.
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 31 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/671f0d4949d412f26fba6c675cfb54b1fc170be0

commit 671f0d4949d412f26fba6c675cfb54b1fc170be0
Author: Lei Zhang <thestig@chromium.org>
Date: Thu Aug 31 18:22:58 2017

Prevent FPDFAvail_IsDocAvail() from infinite looping.

BUG= pdfium:875 

Change-Id: I3cc29990f0a3398ae903bc14417ec695cca30c6c
Reviewed-on: https://pdfium-review.googlesource.com/12391
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
Reviewed-by: Wei Li <weili@chromium.org>

[modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/fpdfsdk/fpdfview_embeddertest.cpp
[modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.h
[modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.cpp

Project Member

Comment 8 by thestig@chromium.org, Aug 31 2017

Status: Fixed (was: Started)

Comment 9 by ha...@hboeck.de, Sep 3 2017

Hi,

From comment #7, all these three links give a 404:

[modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/fpdfsdk/fpdfview_embeddertest.cpp
[modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.h
[modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.cpp

While unrelated to pdfium of course, this looks like a bug in your code management system. Should this be reported somewhere?
Project Member

Comment 10 by thestig@chromium.org, Sep 5 2017

re: comment 9 - You can report a bug with bugdroid on crbug.com. The issue has existed for while AFAIK. I usually just use the pdfium.googlesource.com link at the top.

Sign in to add a comment