Bug 583738 – CVE-2010-0207 xpdf: XRef table parsing infinite loop

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 583738 - (CVE-2010-0207) CVE-2010-0207 xpdf: XRef table parsing infinite loop

Summary:	CVE-2010-0207 xpdf: XRef table parsing infinite loop

Status:	CLOSED NOTABUG

Aliases:	CVE-2010-0207

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=none,source=cert,reported=2010...
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-04-19 11:36 EDT by Tomas Hoger
Modified:	2016-03-04 07:25 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-04-19 11:50:57 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
FreeDesktop.org	28172	None	None	None	Never

Groups: None (edit)

Description Tomas Hoger 2010-04-19 11:36:54 EDT

CERT-FI has provided us with a sample PDF file that causes various xpdf-based PDF viewers to crash.  File causes xpdf to enter an infinite loop, resulting in exhaustion of the stack memory and application crash.

Comment 3 Tomas Hoger 2010-04-19 11:50:57 EDT

Additional details:
xpdf uses XRef::readXRef() (XRef.cc) to read xref object form the PDF file.  This method gets xref object position as an argument.  This calls XRef::readXRefTable() to read "old-style" xref table.  This method parses xref table and reads "trailer" directory.  This trailer may define /XRefStm key, which points to additional xref object (used by linearized PDFs).  XRef::readXRef() is called against with position specified by /XRefStm, which may be identical to the position of the main xref object, resulting in an infinite loop.

This is not considered a security flaw for PDF viewers.

Comment 4 Tomas Hoger 2010-05-19 05:56:36 EDT

Upstream bug:
  https://bugs.freedesktop.org/show_bug.cgi?id=28172

Note You need to log in before you can comment on or make changes to this bug.