Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-5610

Security-Related Findings in OSS-Fuzz for PDFBox (Issue 58353)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      Dear PDFBox maintainers,

       

      Fuzzing has found a security related issue in OSS-Fuzz with JVM Fuzzer Jazzer in PDFBox. We have reviewed the finding and regarded it as security-related due to the potential of a denial of service. We would appreciate it if you could take a look at the finding. Do you see a risk that this might be exploited by untrusted input?

       

      Part of the stack trace:
      == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)

      at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)

      Caused by: java.lang.StackOverflowError

      at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:76)

      at org.apache.commons.logging.impl.Jdk14Logger.warn(Jdk14Logger.java:260)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:271)

      at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)

      at org.apache.pdfbox.pdfparser.BaseParser.parseDirObject(BaseParser.java:882)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryValue(BaseParser.java:187)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionaryNameValuePair(BaseParser.java:347)

      at org.apache.pdfbox.pdfparser.BaseParser.parseCOSDictionary(BaseParser.java:263)
      ...

       

      We have added a reproducer zip which contains a README that describes how to reproduce the issue.

      Reproducer Zip: https://drive.google.com/file/d/1CrVPoQhnTZ6FdAOr7tuny7vhG0gsnZZa/view?usp=share_link

       

      Fuzz target: https://github.com/google/oss-fuzz/blob/master/projects/pdfbox/project-parent/fuzz-targets/src/test/java/com/example/PDFStreamParserFuzzer.java

      OSS-Fuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58353

      Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is fixed or you are the maintainer of the OSS-Fuzz project.

      Attachments

        1. crashing_input
          40 kB
          Tilman Hausherr

        Activity

          People

            Unassigned Unassigned
            hlin Henry Lin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: