Created attachment 1383033 [details] poc for podofo On 0.9.5 (the latest version) of podofo: there is an uncontrolled memory allocation in PoDoFo::PdfVecObjects::Reserve function (src/base/PdfVecObjects.h), which can cause denial of service via a crafted pdf file. Error message: terminate called after throwing an instance of 'std::length_error' what(): vector::reserve Aborted The problem happens since in line 499 of src/base/PdfVecObjects.h, the "size" variable could by manipulated by POC, which results in huge amount of memory allocation. (gdb) l 494 // ----------------------------------------------------- 495 // 496 // ----------------------------------------------------- 497 inline void PdfVecObjects::Reserve( size_t size ) 498 { 499 m_vector.reserve( size ); 500 } 501 502 // ----------------------------------------------------- 503 // (gdb) p size $1 = 18446744073709551608 To reproduce the issue, run: podofoimgextract $POC OUTPUT The POC is attached.
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.