Stack overflow in ParseLastXrefPosition [2]

Question

Stack overflow in ParseLastXrefPosition [2]

MinghaoLin2000 opened this issue 5 months ago · 1 comments

MinghaoLin2000 commented 5 months ago

I fuzz the parsePDF functionality using harness PDFParserFuzzingHarness provided in this project. My fuzzer found the other stack overflow crash. below is sanitizer's message.
==970==ERROR: AddressSanitizer: stack-overflow on address 0x7fff1e2d9f78 (pc 0x5616f29678ba bp 0x7fff1e2da7a0 sp 0x7fff1e2d9f70 T0) #0 0x5616f29678ba in operator new(unsigned long) (/PDF-Writer/build/PDFWriterTesting/PDFParserFuzzingHarness+0x1628ba) (BuildId: 3573c99225bcd3d6) #1 0x5616f29c9664 in OutputStringBufferStream::OutputStringBufferStream() /PDF-Writer/PDFWriter/OutputStringBufferStream.cpp:27:12 #2 0x5616f29dc7dc in PDFParserTokenizer::GetNextToken[abi:cxx11]() /PDF-Writer/PDFWriter/PDFParserTokenizer.cpp:69:27 #3 0x5616f299d3bb in PDFObjectParser::GetNextToken(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) /PDF-Writer/PDFWriter/PDFObjectParser.cpp:253:33 #4 0x5616f29a536e in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:651:8 #5 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #6 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #7 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #8 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #9 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #10 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #11 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #12 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #13 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #14 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #15 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #16 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #17 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #18 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #19 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #20 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #21 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #22 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34 #23 0x5616f299bfdd in PDFObjectParser::ParseNewObject() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206:16 #24 0x5616f29a575d in PDFObjectParser::ParseDictionary() /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660:34
This backtrace message is incomplete due to the screen limitation. I utilize GDB to retrieve the initial parts of backtrace.
#13408 0x000055de358af75e in PDFObjectParser::ParseDictionary (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660 #13409 0x000055de358a5fde in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206 #13410 0x000055de358af75e in PDFObjectParser::ParseDictionary (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660 #13411 0x000055de358a5fde in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206 #13412 0x000055de358af75e in PDFObjectParser::ParseDictionary (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660 #13413 0x000055de358a5fde in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206 #13414 0x000055de358af75e in PDFObjectParser::ParseDictionary (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660 #13415 0x000055de358a5fde in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206 #13416 0x000055de358af75e in PDFObjectParser::ParseDictionary (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660 #13417 0x000055de358a5fde in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206 #13418 0x000055de358af75e in PDFObjectParser::ParseDictionary (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660 #13419 0x000055de358a5fde in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206 #13420 0x000055de358af75e in PDFObjectParser::ParseDictionary (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:660 #13421 0x000055de358a5fde in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:206 #13422 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13423 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13424 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13425 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13426 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13427 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13428 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13429 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13430 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13431 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13432 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13433 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13434 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13435 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13436 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13437 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13438 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13439 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13440 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13441 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 --Type <RET> for more, q to quit, c to continue without paging-- #13442 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13443 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200 #13444 0x000055de358adfc4 in PDFObjectParser::ParseArray (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:603 #13445 0x000055de358a5f6b in PDFObjectParser::ParseNewObject (this=<optimized out>) at /PDF-Writer/PDFWriter/PDFObjectParser.cpp:200
It demonstrates that the stack contained so many function frame data that it is overflowed. I have attached my crash sample.
crash1.zip

Answer 1 · 2024-08-21T17:51:49.000Z

#280 should take care of this