Bug 1665266 (CVE-2018-20481) - CVE-2018-20481 poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc
Summary: CVE-2018-20481 poppler: NULL pointer dereference in the XRef::getEntry in XRe...
Status: NEW
Alias: CVE-2018-20481
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20181220,reported=2...
Keywords: Security
Depends On: 1677057 1677058 1717790 1665268 1665269
Blocks: 1665262
TreeView+ depends on / blocked
 
Reported: 2019-01-10 20:14 UTC by Laura Pardo
Modified: 2019-06-08 23:48 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2019-01-10 20:14:44 UTC
A flaw was found in Poppler 0.72.0. A NULL pointer dereference in the XRef::getEntry class in XRef.cc file due to the mishandle of unallocated XRef entries. This allows remote attackers to cause a denial of service via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.


References:
https://gitlab.freedesktop.org/poppler/poppler/issues/692

Upstream Patch:
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143

Comment 1 Laura Pardo 2019-01-10 20:14:58 UTC
Created mingw-poppler tracking bugs for this issue:

Affects: fedora-all [bug 1665269]


Created poppler tracking bugs for this issue:

Affects: fedora-all [bug 1665268]

Comment 2 Scott Gayou 2019-02-13 21:49:49 UTC
Looks like it will only segfault on 32-bit systems. However, we still get a Valgrind error and ASAN termination on 64bit.

```
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error (14081): Illegal character '}'
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error: Invalid XRef entry
Syntax Error (22675): Missing 'endstream' or incorrect stream length
=================================================================
==12093== ERROR: AddressSanitizer: heap-use-after-free on address 0x609600000488 at pc 0x7f52d7b4716c bp 0x7ffe2a4635b0 sp 0x7ffe2a4635a0
READ of size 4 at 0x609600000488 thread T0
    #0 0x7f52d7b4716b in XRefEntry::setFlag(XRefEntry::Flag, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/XRef.h:91
    #2 0x7f52d7b46832 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:297
    #4 0x7f52d7b45a0d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:131 (discriminator 1)
    #6 0x7f52d7b455ba in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:96
    #8 0x7f52d7b4589e in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:121
```

Comment 3 Scott Gayou 2019-02-13 22:02:35 UTC
Example of the same run in valgrind instead:

Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error (14081): Illegal character '}'
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error: Invalid XRef entry
Syntax Error (22675): Missing 'endstream' or incorrect stream length
==12167== Invalid read of size 4
==12167==    at 0x4F8A295: setFlag (XRef.h:91)
==12167==    by 0x4F8A295: Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:297)
==12167==    by 0x4F8A8F7: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:131)
==12167==    by 0x4F8A5A2: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:96)
==12167==    by 0x4F8A9D4: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:121)
==12167==    by 0x4FA6965: XRef::fetch(int, int, Object*, int) (XRef.cc:1199)
==12167==    by 0x4F18C2A: dictLookup (Object.h:320)
==12167==    by 0x4F18C2A: Catalog::getNumPages() (Catalog.cc:809)
==12167==    by 0x4018EE: main (pdfdetach.cc:163)


Note You need to log in before you can comment on or make changes to this bug.