<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry()" href="https://bugs.freedesktop.org/show_bug.cgi?id=102687">102687</a> </td> </tr> <tr> <th>Summary</th> <td>NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry() </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>All </td> </tr> <tr> <th>OS</th> <td>Linux (All) </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>major </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>etovio@gmail.com </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=134185" name="attach_134185" title="POC file of the vulnerability">attachment 134185</a> <a href="attachment.cgi?id=134185&action=edit" title="POC file of the vulnerability">[details]</a></span> POC file of the vulnerability A NULL pointer dereference vulnerability was found in poppler XRef.cc XRef::parseEntry() which may lead to potential Denial of Service attack when handling malicious PDF files: gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -q -s ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf Segmentation fault gzq@ubuntu:~/work/vul/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftohtml Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done. (gdb) r -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized out>, entry=0x0) at XRef.cc:1539 1539 entry->offset = obj1.getInt(); (gdb) bt #0 0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized out>, entry=0x0) at XRef.cc:1539 #1 0x00000000005c7734 in XRef::getEntry (this=<optimized out>, i=0, complainIfMissing=true) at XRef.cc:1601 #2 0x00000000006a72e3 in Hints::Hints (this=0x9e2190, str=<optimized out>, linearization=0x9e01e0, xref=0x9e00e0, secHdlr=0x0) at Hints.cc:114 #3 0x000000000056fcde in PDFDoc::checkLinearization (this=0x9dfe70) at PDFDoc.cc:555 #4 0x000000000056f2c2 in PDFDoc::getPage (this=0x9dfe70, page=1) at PDFDoc.cc:1955 #5 0x000000000056f024 in PDFDoc::displayPage (this=0x9dfe70, out=0x9e0c00, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=true, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=112) at PDFDoc.cc:484 #6 0x00000000004085cf in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:408</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>