An invalid pointer dereference was found in the way xpdf processed JBIG2 PDF stream objects in the PDF file catalog. If a local user was tricked into opening a specially-crafted Portable Document Format (PDF) file, it could lead to denial of service (xpdf crash) or, potentially, to arbitrary code execution with the privileges of the user running xpdf.
(In reply to comment #10) > i tested xpdf-3.00-23.el4_8.1.i386. The sample1.pdf caused a crash xpdf but no > crash in pdftops. This crash is a NULL pointer dereference: Program received signal SIGSEGV, Segmentation fault. 0x08076cf4 in ~JArithmeticDecoder (this=0x8838628) at JArithmeticDecoder.cc:107 107 return (Guint)str->getChar() & 0xff; (gdb) print str $1 = (class Stream *) 0x0 I'll do some additional testing, but I suspect this is a DoS only
I got the same results as above with gpdf and kpdf. I'm going to write this one off as a DoS only, which matches the results Canonical found.
Closing this one not-a-security-bug, as it's NULL pointer dereference only (see comment #11 and comment #12).
(In reply to comment #11) > This crash is a NULL pointer dereference: > Program received signal SIGSEGV, Segmentation fault. > 0x08076cf4 in ~JArithmeticDecoder (this=0x8838628) at JArithmeticDecoder.cc:107 > 107 return (Guint)str->getChar() & 0xff; > (gdb) print str > $1 = (class Stream *) 0x0 The crash in recent poppler versions is different, but still NULL pointer dereference issue. JBIG2Bitmap::getSlice() gets called with large values in wA/hA arguments: http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n740 It calls JBIG2Bitmap::JBIG2Bitmap(): http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n700 which contains protection against integer overflow / under-allocation of the data[] buffer, and leaves data set to NULL if integer overflow is detected. JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which does memset(data, ...), resulting in NULL pointer dereference crash.
Reported upstream: https://bugs.freedesktop.org/show_bug.cgi?id=28170