Bug 416654 - JavaScript in PDF documents can exhaust resources
Summary: JavaScript in PDF documents can exhaust resources
Status: RESOLVED FIXED
Alias: None
Product: okular
Classification: Applications
Component: PDF backend (show other bugs)
Version: 1.3.3
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Okular developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-23 16:49 UTC by Jens Mueller
Modified: 2020-02-12 00:53 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In: 20.04.0
Sentry Crash Report:


Attachments
Trivial PoC (01) (1.53 KB, application/pdf)
2020-01-23 16:49 UTC, Jens Mueller
Details
Trivial PoC (02) (2.91 KB, application/pdf)
2020-01-23 16:50 UTC, Jens Mueller
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Mueller 2020-01-23 16:49:16 UTC
A simple endless loop with JavaScript in a PDF document can cause resource exhaustion (cpu or mem). If JavaScript in PDF documents really needs to be supported, its resources should be limited (similar to browsers).
Comment 1 Jens Mueller 2020-01-23 16:49:55 UTC
Created attachment 125335 [details]
Trivial PoC (01)
Comment 2 Jens Mueller 2020-01-23 16:50:06 UTC
Created attachment 125336 [details]
Trivial PoC (02)
Comment 3 Albert Astals Cid 2020-01-25 18:21:10 UTC
yeah, it seems that sadly the JS engine we use doesn't support timing out (even thought it seems it wants to, I've asked one of the authors for confirmation).

Anyhow the engine is almost unmaintained at this stage so we may need to port to some other engine both for better code future proofing and to fix this problem.
Comment 4 Albert Astals Cid 2020-02-12 00:05:32 UTC
Fix for this has landed now

https://invent.kde.org/kde/okular/merge_requests/106/