Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic when parsing malformed PDF (add with overflow in pom) #153

Closed
5225225 opened this issue Nov 27, 2021 · 3 comments
Closed

Panic when parsing malformed PDF (add with overflow in pom) #153

5225225 opened this issue Nov 27, 2021 · 3 comments

Comments

@5225225
Copy link

5225225 commented Nov 27, 2021

Test case (tested against latest git 53090ad)

fn main() {
    let d = b"%PDF-1.5\n\
    1 0 obj<</Type/Pages/KD\x02\x00\x005 0 R]/Count 1/Resources 3 0 R/MediaBox[0 0 595 842]>>endobj\n\
    2 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier>>endobj\n\
    3 0 obj<</Font<</F1 2 0 R>>>>endobj\n\
    4 0 obj<</Length -5>>stream\n\
    BT\n\
    /F1 48 Tf\n\
    100 600 Td\n\
    (Hello World!) Tj\n\
    ET\n\
    endstream endobj\n\
    5 0 obj<</Type/Page/Parent 1 0 R/Contents[4 %PDF-%\x00\n\
    %\n\
    %x\n\
    %P0 obj<</Type/Catalog/Pages 1 0 R>>endobj\n\
    xref\n\
    0 7\n\
    0000000000 65535 f \n\
    0000000155 00000 n \n\
    0000000191 00000 n \n\
    000000028100 000 n \n\
    0000000338 00000 n \n\
    trailer\n\
    <</Root 6 0 R/Size 7>>\n\
    startxref\n\
    381\n\
    %%EOF";

    let _ = lopdf::Document::load_mem(d);
}

Stack trace with debug assertions on

thread 'main' panicked at 'attempt to add with overflow', /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:428:19
stack backtrace:
   0: rust_begin_unwind
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/std/src/panicking.rs:498:5
   1: core::panicking::panic_fmt
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/panicking.rs:107:14
   2: core::panicking::panic
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/panicking.rs:48:5
   3: pom::parser::take::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:428:13
   4: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
   5: <pom::parser::Parser<I,O> as core::ops::arith::Sub<pom::parser::Parser<I,U>>>::sub::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:497:4
   6: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
   7: <pom::parser::Parser<I,O> as core::ops::arith::Sub<pom::parser::Parser<I,U>>>::sub::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:497:4
   8: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
   9: pom::parser::Parser<I,O>::map::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:45:4
  10: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  11: <pom::parser::Parser<I,O> as core::ops::bit::Shr<F>>::shr::{{closure}}::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:521:54
  12: core::result::Result<T,E>::and_then
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/result.rs:966:22
  13: <pom::parser::Parser<I,O> as core::ops::bit::Shr<F>>::shr::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:521:4
  14: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  15: pom::parser::Parser<I,O>::map::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:45:4
  16: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  17: <pom::parser::Parser<I,O> as core::ops::bit::BitOr>::bitor::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:536:11
  18: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  19: <pom::parser::Parser<I,O> as core::ops::bit::BitOr>::bitor::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:532:46
  20: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  21: <pom::parser::Parser<I,O> as core::ops::arith::Sub<pom::parser::Parser<I,U>>>::sub::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:497:4
  22: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  23: <pom::parser::Parser<I,O> as core::ops::arith::Add<pom::parser::Parser<I,U>>>::add::{{closure}}::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:485:5
  24: core::result::Result<T,E>::and_then
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/result.rs:966:22
  25: <pom::parser::Parser<I,O> as core::ops::arith::Add<pom::parser::Parser<I,U>>>::add::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:484:4
  26: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  27: <pom::parser::Parser<I,O> as core::ops::arith::Sub<pom::parser::Parser<I,U>>>::sub::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:497:4
  28: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  29: <pom::parser::Parser<I,O> as core::ops::arith::Sub<pom::parser::Parser<I,U>>>::sub::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:497:4
  30: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  31: <pom::parser::Parser<I,O> as core::ops::arith::Sub<pom::parser::Parser<I,U>>>::sub::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:497:4
  32: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/boxed.rs:1708:9
  33: pom::parser::Parser<I,O>::parse_at
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/pom-3.2.0/src/parser.rs:33:3
  34: lopdf::parser::indirect_object
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/lopdf-0.26.0/src/parser.rs:193:5
  35: lopdf::reader::Reader::read_object
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/lopdf-0.26.0/src/reader.rs:239:9
  36: lopdf::reader::Reader::read::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/lopdf-0.26.0/src/reader.rs:130:47
  37: core::ops::function::impls::<impl core::ops::function::FnMut<A> for &mut F>::call_mut
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/ops/function.rs:269:13
  38: core::iter::traits::iterator::Iterator::find_map::check::{{closure}}
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/iter/traits/iterator.rs:2409:32
  39: core::iter::traits::iterator::Iterator::try_fold
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/iter/traits/iterator.rs:1995:21
  40: core::iter::traits::iterator::Iterator::find_map
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/iter/traits/iterator.rs:2415:9
  41: <core::iter::adapters::filter_map::FilterMap<I,F> as core::iter::traits::iterator::Iterator>::next
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/iter/adapters/filter_map.rs:61:9
  42: alloc::vec::Vec<T,A>::extend_desugared
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/vec/mod.rs:2643:35
  43: <alloc::vec::Vec<T,A> as alloc::vec::spec_extend::SpecExtend<T,I>>::spec_extend
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/vec/spec_extend.rs:18:9
  44: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter_nested::SpecFromIterNested<T,I>>::from_iter
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/vec/spec_from_iter_nested.rs:37:9
  45: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter::SpecFromIter<T,I>>::from_iter
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/vec/spec_from_iter.rs:33:9
  46: <alloc::vec::Vec<T> as core::iter::traits::collect::FromIterator<T>>::from_iter
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/vec/mod.rs:2546:9
  47: core::iter::traits::iterator::Iterator::collect
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/iter/traits/iterator.rs:1745:9
  48: <alloc::collections::btree::map::BTreeMap<K,V> as core::iter::traits::collect::FromIterator<(K,V)>>::from_iter
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/alloc/src/collections/btree/map.rs:1939:34
  49: core::iter::traits::iterator::Iterator::collect
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/iter/traits/iterator.rs:1745:9
  50: lopdf::reader::Reader::read
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/lopdf-0.26.0/src/reader.rs:161:37
  51: lopdf::reader::<impl core::convert::TryInto<lopdf::document::Document> for &[u8]>::try_into
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/lopdf-0.26.0/src/reader.rs:57:9
  52: lopdf::reader::<impl lopdf::document::Document>::load_mem
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/lopdf-0.26.0/src/reader.rs:49:9
  53: scratchANUPIlSaA::main
             at ./main.rs:30:13
  54: core::ops::function::FnOnce::call_once
             at /rustc/c9c4b5d7276297679387189d96a952f2b760e7ad/library/core/src/ops/function.rs:227:5

It does panic later in the file if stack traces are disabled, on a slice index error. This may be a pom bug and not a bug here.
@J-F-Liu
Copy link
Owner

J-F-Liu commented Nov 30, 2021
edited

Fixed by 25ccd7f

@5225225
Copy link
Author

5225225 commented Nov 30, 2021

You should still return an error in that case, not panic.

load_mem returns a Result, so I'd expect it to never panic, regardless on what the input is.

@J-F-Liu
Copy link
Owner

J-F-Liu commented Dec 4, 2021

Updated

@J-F-Liu J-F-Liu closed this as completed Dec 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@J-F-Liu @5225225