A flaw was found in Poppler 0.72.0. The PDFDoc::setup class in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing. References: https://gitlab.freedesktop.org/poppler/poppler/issues/706 Upstream Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/9fd5ec0e6e5f763b190f2a55ceb5427cfe851d5f
Created mingw-poppler tracking bugs for this issue: Affects: fedora-all [bug 1665275] Created poppler tracking bugs for this issue: Affects: fedora-all [bug 1665274]
Upstream has reverted the fix because it caused some regressions: https://gitlab.freedesktop.org/poppler/poppler/commit/1e99a1eeb3a144facf45165df9f457796c045daa https://gitlab.freedesktop.org/poppler/poppler/issues/706#note_99000
Red Hat Enterprise 7 has a few valgrind errors, but no abort. ``` ==12199== Memcheck, a memory error detector ==12199== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==12199== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==12199== Command: pdfunite test.pdf sigabrt_Object.h:258_2.pdf out.pdf ==12199== Syntax Error (374): Illegal character <10> in hex string Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error (1014): Dictionary key must be a name object Syntax Error (1016): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1020): Dictionary key must be a name object Syntax Error: Page count in top-level pages object is wrong type (null) ==12199== Invalid read of size 4 ==12199== at 0x6341C30: pthread_mutex_lock (pthread_mutex_lock.c:65) ==12199== by 0x4F15D82: UnknownInlinedFun (GooMutex.h:78) ==12199== by 0x4F15D82: Array::decRef() (Array.cc:85) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x633D8C4: __pthread_mutex_lock_full (pthread_mutex_lock.c:176) ==12199== by 0x4F15D82: UnknownInlinedFun (GooMutex.h:78) ==12199== by 0x4F15D82: Array::decRef() (Array.cc:85) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x4F15D83: Array::decRef() (Array.cc:86) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93c8 is 24 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid write of size 4 ==12199== at 0x4F15D8C: Array::decRef() (Array.cc:86) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93c8 is 24 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x6342E10: __pthread_mutex_unlock_usercnt (pthread_mutex_unlock.c:39) ==12199== by 0x6342E10: pthread_mutex_unlock (pthread_mutex_unlock.c:330) ==12199== by 0x4F15D93: UnknownInlinedFun (GooMutex.h:79) ==12199== by 0x4F15D93: Array::decRef() (Array.cc:87) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x633DDC6: __pthread_mutex_unlock_full (pthread_mutex_unlock.c:101) ==12199== by 0x4F15D93: UnknownInlinedFun (GooMutex.h:79) ==12199== by 0x4F15D93: Array::decRef() (Array.cc:87) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== ==12199== HEAP SUMMARY: ==12199== in use at exit: 1,034 bytes in 29 blocks ==12199== total heap usage: 7,782 allocs, 7,753 frees, 2,012,194 bytes allocated ==12199== ==12199== LEAK SUMMARY: ==12199== definitely lost: 465 bytes in 16 blocks ==12199== indirectly lost: 512 bytes in 4 blocks ==12199== possibly lost: 0 bytes in 0 blocks ==12199== still reachable: 57 bytes in 9 blocks ==12199== suppressed: 0 bytes in 0 blocks ==12199== Rerun with --leak-check=full to see details of leaked memory ==12199== ==12199== For counts of detected and suppressed errors, rerun with: -v ==12199== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0) ```
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2022 https://access.redhat.com/errata/RHSA-2019:2022
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20662
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2713 https://access.redhat.com/errata/RHSA-2019:2713