Bug 416654

Summary: JavaScript in PDF documents can exhaust resources
Product: [Applications] okular Reporter: Jens Mueller <jens.a.mueller+kde>
Component: PDF backendAssignee: Okular developers <okular-devel>
Status: RESOLVED FIXED    
Severity: normal CC: aacid, nate
Priority: NOR    
Version: 1.3.3   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In: 20.04.0
Attachments: Trivial PoC (01)
Trivial PoC (02)

Description Jens Mueller 2020-01-23 16:49:16 UTC
A simple endless loop with JavaScript in a PDF document can cause resource exhaustion (cpu or mem). If JavaScript in PDF documents really needs to be supported, its resources should be limited (similar to browsers).
Comment 1 Jens Mueller 2020-01-23 16:49:55 UTC
Created attachment 125335 [details]
Trivial PoC (01)
Comment 2 Jens Mueller 2020-01-23 16:50:06 UTC
Created attachment 125336 [details]
Trivial PoC (02)
Comment 3 Albert Astals Cid 2020-01-25 18:21:10 UTC
yeah, it seems that sadly the JS engine we use doesn't support timing out (even thought it seems it wants to, I've asked one of the authors for confirmation).

Anyhow the engine is almost unmaintained at this stage so we may need to port to some other engine both for better code future proofing and to fix this problem.
Comment 4 Albert Astals Cid 2020-02-12 00:05:32 UTC
Fix for this has landed now

https://invent.kde.org/kde/okular/merge_requests/106/