Red Hat Bugzilla – Bug 672181
CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
Last modified: 2015-07-31 02:36:45 EDT
Dan Rosenberg reported an issue in xpdf/poppler code base:
Malformed commands may cause corruption of the internal stack used
to maintain graphics contexts, leading to potentially exploitable
Red Hat would like to thank Dan Rosenberg for reporting this issue.
Upstream poppler git commit that adds stack guards:
This fix changes API and ABI of the Gfx class. This is part of Xpdf headers bundled in poppler-devel in Fedora and RHEL-6. poppler upstream makes certain API/ABI stability promises for supported frontends (glib, Qt4), but not for legacy Xpdf APIs, which are used by some programs (texlive, gimp, or openoffice.org).
SUSE xpdf packages maintainer tracked this crash down to q (saveState) / Q (restoreState) graphics operations imbalance. While the patch mentioned in comment #1 adds additional guards to the graphics states stack, earlier commit tries to address q/Q imbalance:
This fix is included in RHEL-6 poppler. RHEL-5 poppler does not include this fix, but does not seem to crash on the Dan's reproducer either.