|xref loop references cause denial of service|
|Reported by ha...@hboeck.de, Aug 24||Back to list|
6 years ago Andreas Bogk pointed out that with xref's in PDF files you can create a loop that will hang evince. It turns out that the very same bug is affecting the chrome internal PDF reader. The sample file has been published here: https://github.com/andreas23/pdfparser/blob/master/tests/loop_edited.pdf (I'm also attaching it.) Opening this file in Chrome causes the PDF viewer component to hang and Chrome will use a lot of CPU power. Notably the CPU usage will not go down if you just close the tab with the affected file - you have to close the whole browser. Thus it's a powerful browser DoS. What steps will reproduce the problem? 1. Download loop_edited.pdf 2. Open it in Chrome 3. PDF component hangs, high CPU load. What is the expected output? What do you see instead? pdfium should note the loop and stop trying to render that file. What version of the product are you using? On what operating system? Chrome 60.0.3112.101, Gentoo Linux
I tested with Chrome 62 here, and the attached file just fails to load. We may have recently did something about this?
Actually Chrome 60 rejects the attached PDF as well here as well.
Seems to reproduce on Windows for me. Not sure why it doesn't repro on Linux here.
... and that's because I was testing it wrong. Now I can reproduce it on Linux in the Chrome PDF Viewer as well. However, pdfium_test doesn't infinite loop.
The Chrome PDF Viewer makes a FPDFAvail_IsDocAvail() call for non-linearized PDFs for https://crbug.com/613704 and pdfium_test does not. That's the function it hangs in, so adding that to pdfium_test makes the bug repro.
It turns out PDFium already has a test case for the same issue with bug_xrefv4_loop.pdf, but its test didn't call FPDFAvail_IsDocAvail() to trigger this issue.
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/671f0d4949d412f26fba6c675cfb54b1fc170be0 commit 671f0d4949d412f26fba6c675cfb54b1fc170be0 Author: Lei Zhang <email@example.com> Date: Thu Aug 31 18:22:58 2017 Prevent FPDFAvail_IsDocAvail() from infinite looping. BUG= pdfium:875 Change-Id: I3cc29990f0a3398ae903bc14417ec695cca30c6c Reviewed-on: https://pdfium-review.googlesource.com/12391 Commit-Queue: Lei Zhang <firstname.lastname@example.org> Reviewed-by: Art Snake <email@example.com> Reviewed-by: Wei Li <firstname.lastname@example.org> [modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/fpdfsdk/fpdfview_embeddertest.cpp [modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.h [modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.cpp
Hi, From comment #7, all these three links give a 404: [modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/fpdfsdk/fpdfview_embeddertest.cpp [modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.h [modify] https://crrev.com/671f0d4949d412f26fba6c675cfb54b1fc170be0/core/fpdfapi/parser/cpdf_data_avail.cpp While unrelated to pdfium of course, this looks like a bug in your code management system. Should this be reported somewhere?
|► Sign in to add a comment|