Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop in xref table causes OOM #629

Closed
nfmueller opened this issue Dec 5, 2021 · 4 comments · Fixed by #630
Closed

Infinite loop in xref table causes OOM #629

nfmueller opened this issue Dec 5, 2021 · 4 comments · Fixed by #630
Labels
bug

Comments

@nfmueller
Copy link

I've come across a PDF with the following xref table:

xref
7 1
0000061582 00000 n
22 27
0000061874 00000 n
0000063938 00000 n
0000066501 00000 n
0000068901 00000 n
0000071884 00000 n
0000072433 00000 n
0000073108 00000 n
0000073531 00000 n
0000074050 00000 n
0000074586 00000 n
0000075238 00000 n
0000075711 00000 n
0000076290 00000 n
0000076914 00000 n
0000077676 00000 n
0000078196 00000 n
0000078828 00000 n
0000079281 00000 n
0000079840 00000 n
0000080317 00000 n
0000080908 00000 n
0000083108 00000 n
0000085841 00000 n
0000088817 00000 n
0000092520 00000 n
0000092720 00000 n
0000092954 00000 n

trailer
<</Info 21 0 R/ID[<C55DAE5127C23AC8A732EE9B88B971D8><6D23C287DC7BC30F645F94862D2B65F0>]/Root 20 0 R/Size 49/Prev 93188>>
startxref
93188
%%EOF

When I attempted to create a new PdfReader from this document, my application crashed with an OOM error.
Upon debugging, it looks like there is an infinite loop in the readXref() method:

    while (true) {
      PdfNumber prev = (PdfNumber) trailer2.get(PdfName.PREV);
      if (prev == null)
        break;
      tokens.seek(prev.intValue());
      trailer2 = readXrefSection();
    }

as prev.intValue() is the same value as the startxref, which leads to a continuous allocation of memory until it crashes.

pdfinfo (by xdpfreader) confirms this:

:~ $ pdfinfo brokenpdf.pdf
Syntax Warning: Infinite loop in xref table
Syntax Error: Catalog object is wrong type (null)
Syntax Error: Couldn't read page catalog
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
CreationDate:   Tue Nov 30 17:12:33 2021
ModDate:        Tue Nov 30 17:12:33 2021
Tagged:         no
Form:           none
Pages:          1
Encrypted:      no
Page size:      595 x 842 pts (A4) (rotated 0 degrees)
File size:      93915 bytes
Optimized:      no
PDF version:    1.4

I'm not very familiar with the pdf spec, so I'm not entirely sure if there is any other information needed. Please let me know if more info is necessary.
@nfmueller nfmueller added the bug label Dec 5, 2021
@nfmueller nfmueller mentioned this issue Dec 6, 2021
Merged
@mkl-public
Copy link
Contributor

It is a good idea to prevent such endless loops.

Can you share the PDF in question for analysis and tests?

@nfmueller
Copy link
Author

Unfortunately, the full pdf contains private/sensitive information and I'm not able to share it. I can share header data/data if it doesn't contain the private/sensitive info, if I'm directed on what data to share?

@mkl-public
Copy link
Contributor

If you cannot share it, that's ok.

I merely prefer real-life test files, if only to be able to later point out that some error situation is not academical but real life.

@asturio asturio linked a pull request Dec 14, 2021 that will close this issue
Issue 629 fix: Throw exception if an xref PREV points to the startxref #630
Merged
@mkl-public
Copy link
Contributor

Some test files:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue 629 fix: Throw exception if an xref PREV points to the startxref nfmueller/OpenPDF
2 participants
@mkl-public @nfmueller