A flaw was found in Poppler 0.72.0. A NULL pointer dereference in the XRef::getEntry class in XRef.cc file due to the mishandle of unallocated XRef entries. This allows remote attackers to cause a denial of service via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc. References: https://gitlab.freedesktop.org/poppler/poppler/issues/692 Upstream Patch: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143
Created mingw-poppler tracking bugs for this issue: Affects: fedora-all [bug 1665269] Created poppler tracking bugs for this issue: Affects: fedora-all [bug 1665268]
Looks like it will only segfault on 32-bit systems. However, we still get a Valgrind error and ASAN termination on 64bit. ``` Syntax Error (655): Illegal character '>' Syntax Error (24552): Illegal character <25> in hex string Syntax Error (24591): Illegal digit in hex char in name Syntax Error (14081): Illegal character '}' Syntax Error (655): Illegal character '>' Syntax Error (24552): Illegal character <25> in hex string Syntax Error (24591): Illegal digit in hex char in name Syntax Error: Invalid XRef entry Syntax Error (22675): Missing 'endstream' or incorrect stream length ================================================================= ==12093== ERROR: AddressSanitizer: heap-use-after-free on address 0x609600000488 at pc 0x7f52d7b4716c bp 0x7ffe2a4635b0 sp 0x7ffe2a4635a0 READ of size 4 at 0x609600000488 thread T0 #0 0x7f52d7b4716b in XRefEntry::setFlag(XRefEntry::Flag, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/XRef.h:91 #2 0x7f52d7b46832 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:297 #4 0x7f52d7b45a0d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:131 (discriminator 1) #6 0x7f52d7b455ba in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:96 #8 0x7f52d7b4589e in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:121 ```
Example of the same run in valgrind instead: Syntax Error (655): Illegal character '>' Syntax Error (24552): Illegal character <25> in hex string Syntax Error (24591): Illegal digit in hex char in name Syntax Error (14081): Illegal character '}' Syntax Error (655): Illegal character '>' Syntax Error (24552): Illegal character <25> in hex string Syntax Error (24591): Illegal digit in hex char in name Syntax Error: Invalid XRef entry Syntax Error (22675): Missing 'endstream' or incorrect stream length ==12167== Invalid read of size 4 ==12167== at 0x4F8A295: setFlag (XRef.h:91) ==12167== by 0x4F8A295: Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:297) ==12167== by 0x4F8A8F7: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:131) ==12167== by 0x4F8A5A2: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:96) ==12167== by 0x4F8A9D4: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:121) ==12167== by 0x4FA6965: XRef::fetch(int, int, Object*, int) (XRef.cc:1199) ==12167== by 0x4F18C2A: dictLookup (Object.h:320) ==12167== by 0x4F18C2A: Catalog::getNumPages() (Catalog.cc:809) ==12167== by 0x4018EE: main (pdfdetach.cc:163)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2022 https://access.redhat.com/errata/RHSA-2019:2022
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20481
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2713 https://access.redhat.com/errata/RHSA-2019:2713