<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry()"
href="https://bugs.freedesktop.org/show_bug.cgi?id=102687">102687</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry()
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>major
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>etovio@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=134185" name="attach_134185" title="POC file of the vulnerability">attachment 134185</a> <a href="attachment.cgi?id=134185&action=edit" title="POC file of the vulnerability">[details]</a></span>
POC file of the vulnerability
A NULL pointer dereference vulnerability was found in poppler XRef.cc
XRef::parseEntry() which may lead to potential Denial of Service attack when
handling malicious PDF files:
gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -q
-s ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf
Segmentation fault
gzq@ubuntu:~/work/vul/poppler$ gdb -q
/home/gzq/install/poppler-dev/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -s -q
./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized
out>, entry=0x0) at XRef.cc:1539
1539 entry->offset = obj1.getInt();
(gdb) bt
#0 0x00000000005ca07f in XRef::parseEntry (this=<optimized out>,
offset=<optimized out>, entry=0x0) at XRef.cc:1539
#1 0x00000000005c7734 in XRef::getEntry (this=<optimized out>, i=0,
complainIfMissing=true) at XRef.cc:1601
#2 0x00000000006a72e3 in Hints::Hints (this=0x9e2190, str=<optimized out>,
linearization=0x9e01e0, xref=0x9e00e0, secHdlr=0x0) at Hints.cc:114
#3 0x000000000056fcde in PDFDoc::checkLinearization (this=0x9dfe70) at
PDFDoc.cc:555
#4 0x000000000056f2c2 in PDFDoc::getPage (this=0x9dfe70, page=1) at
PDFDoc.cc:1955
#5 0x000000000056f024 in PDFDoc::displayPage (this=0x9dfe70, out=0x9e0c00,
page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>,
useMediaBox=true, crop=<optimized out>, printing=<optimized out>,
abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=112) at PDFDoc.cc:484
#6 0x00000000004085cf in main (argc=<optimized out>, argv=<optimized out>) at
pdftohtml.cc:408</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>