6 year old loop bug in many PDF viewers

[German]In 2011 an obscure bug was found in a PDF parsing library. Six years later, this bug is still contained in the top PDF programs currently in use.


Advertising

This has been reported by Hanno Böck in his blog article Six year old PDF loop bug affects most major implementations. Böck had recently investigated the library qpdf contained in many PDF packages with afl and libfuzzer. Opening a special prepared PDF file causes a high CPU load and a memory error occurs after several minutes. The PDF parser seems to be in an endless loop.

Böck refers to a presentation by CCCfrom 2011, where such a bug has already been reported. The problem was fixed at the time, but it seems that vendors of PDF readers are not aware of this issue. The qpdf problem in the above analysis is the same as reported here (a test file can be found here).

Böck writes that the Github Javascript PDF viewer is also affected. The PDF viewer in Mozilla Firefox? Affected, because they use pdf. js – like Github. Google Chrome / Chromium, which use the PDFium library, is also affected.  Ghostscript is as affected as other PDF parsers. Only the Adobe Reader and Apple's internet OS X PDF Viewer are not affected. Böck schreibt, dass der Github Javascript PDF-Viewer auch betroffen sei.  (via)


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *