[Poppler-bugs] [Bug 102687] New: NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Sep 13 02:16:44 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102687

            Bug ID: 102687
           Summary: NULL pointer dereference vulnerability in poppler
                    0.59.0 XRef.cc XRef::parseEntry()
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: etovio at gmail.com

Created attachment 134185
  --> https://bugs.freedesktop.org/attachment.cgi?id=134185&action=edit
POC file of the vulnerability

A NULL pointer dereference vulnerability was found in poppler XRef.cc
XRef::parseEntry() which may lead to potential Denial of Service attack when
handling malicious PDF files:

gzq at ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -q
-s ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf 
Segmentation fault

gzq at ubuntu:~/work/vul/poppler$ gdb -q
/home/gzq/install/poppler-dev/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -s -q
./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized
out>, entry=0x0) at XRef.cc:1539
1539          entry->offset = obj1.getInt();
(gdb) bt
#0  0x00000000005ca07f in XRef::parseEntry (this=<optimized out>,
offset=<optimized out>, entry=0x0) at XRef.cc:1539
#1  0x00000000005c7734 in XRef::getEntry (this=<optimized out>, i=0,
complainIfMissing=true) at XRef.cc:1601
#2  0x00000000006a72e3 in Hints::Hints (this=0x9e2190, str=<optimized out>,
linearization=0x9e01e0, xref=0x9e00e0, secHdlr=0x0) at Hints.cc:114
#3  0x000000000056fcde in PDFDoc::checkLinearization (this=0x9dfe70) at
PDFDoc.cc:555
#4  0x000000000056f2c2 in PDFDoc::getPage (this=0x9dfe70, page=1) at
PDFDoc.cc:1955
#5  0x000000000056f024 in PDFDoc::displayPage (this=0x9dfe70, out=0x9e0c00,
page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>,
useMediaBox=true, crop=<optimized out>, printing=<optimized out>,
abortCheckCbk=<optimized out>, 
    abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=112) at PDFDoc.cc:484
#6  0x00000000004085cf in main (argc=<optimized out>, argv=<optimized out>) at
pdftohtml.cc:408

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170913/157aa831/attachment-0001.html>

More information about the Poppler-bugs mailing list