Bug 672181 - (CVE-2010-4654) CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 734819
  Show dependency treegraph
Reported: 2011-01-24 05:25 EST by Tomas Hoger
Modified: 2015-07-31 02:36 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2011-01-24 05:25:24 EST
Dan Rosenberg reported an issue in xpdf/poppler code base:


  Malformed commands may cause corruption of the internal stack used
  to maintain graphics contexts, leading to potentially exploitable
  memory corruption.


Red Hat would like to thank Dan Rosenberg for reporting this issue.
Comment 1 Tomas Hoger 2011-01-24 05:39:02 EST
Upstream poppler git commit that adds stack guards:

This fix changes API and ABI of the Gfx class.  This is part of Xpdf headers bundled in poppler-devel in Fedora and RHEL-6.  poppler upstream makes certain API/ABI stability promises for supported frontends (glib, Qt4), but not for legacy Xpdf APIs, which are used by some programs (texlive, gimp, or openoffice.org).
Comment 4 Tomas Hoger 2011-01-25 10:48:08 EST
SUSE xpdf packages maintainer tracked this crash down to q (saveState) / Q (restoreState) graphics operations imbalance.  While the patch mentioned in comment #1 adds additional guards to the graphics states stack, earlier commit tries to address q/Q imbalance:

This fix is included in RHEL-6 poppler.  RHEL-5 poppler does not include this fix, but does not seem to crash on the Dan's reproducer either.

Note You need to log in before you can comment on or make changes to this bug.