Created attachment 134064 [details] POC file of the vulnerability. A NULL pointer dereference vulnerability was found in Annot.cc AnnotRichMedia::Content::Content() which may leading to potential Denial of Service attack when process malicious PDF files: gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler/bin/pdfinfo ./mal-annot-cc-6577-2-07.pdf Tagged: no UserProperties: no Suspects: no Form: none Syntax Error (1611): Dictionary key must be a name object Syntax Error (1613): Dictionary key must be a name object Syntax Error (1615): Dictionary key must be a name object Syntax Error: Unterminated string Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Segmentation fault We can debug the vulnerable applications to learn about details: gzq@ubuntu:~/work/vul/poppler$ gdb /home/gzq/install/poppler/bin/pdfinfo GNU gdb (Ubuntu 7.11.90.20161005-0ubuntu2) 7.11.90.20161005-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /home/gzq/install/poppler/bin/pdfinfo...done. (gdb) r ./mal-annot-cc-6577-2-07.pdf Starting program: /home/gzq/install/poppler/bin/pdfinfo ./mal-annot-cc-6577-2-07.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Tagged: no UserProperties: no Suspects: no Form: none Syntax Error (1611): Dictionary key must be a name object Syntax Error (1613): Dictionary key must be a name object Syntax Error (1615): Dictionary key must be a name object Syntax Error: Unterminated string Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Program received signal SIGSEGV, Segmentation fault. AnnotRichMedia::Content::Content (this=0x555555c0f490, dict=<optimized out>) at Annot.cc:6577 6577 assets[counter] = new AnnotRichMedia::Asset; (gdb) bt #0 AnnotRichMedia::Content::Content (this=0x555555c0f490, dict=<optimized out>) at Annot.cc:6577 #1 0x0000555555606625 in AnnotRichMedia::initialize (this=0x555555c0f6d0, docA=<optimized out>, dict=0x555555c0f820) at Annot.cc:6449 #2 0x0000555555609162 in Annots::createAnnot (this=this@entry=0x555555c0dda0, dictObject=dictObject@entry=0x7fffffffe0a0, obj=obj@entry=0x7fffffffe0b0) at Annot.cc:6926 #3 0x00005555556096dd in Annots::Annots (this=0x555555c0dda0, docA=<optimized out>, page=1, annotsObj=0x7fffffffe110) at Annot.cc:6817 #4 0x000055555575f106 in Page::getAnnots (this=this@entry=0x555555c0f040, xrefA=xrefA@entry=0x0) at Page.cc:374 #5 0x00005555555bb2f7 in JSInfo::scan (this=0x7fffffffe230, nPages=1) at JSInfo.cc:176 #6 0x00005555555b3f34 in printInfo (doc=0x555555c0de40, uMap=<optimized out>, filesize=2666, multiPage=false) at pdfinfo.cc:487 #7 0x00005555555af20f in main (argc=<optimized out>, argv=<optimized out>) at pdfinfo.cc:748 (gdb) p assets $1 = (AnnotRichMedia::Asset **) 0x0 (gdb) p nAssets $2 = 0 nAssets maybe 0 when crafted PDF files is being handled, and thus assets pointer maybe null. This vulnerability has been reproduced in both the latest stable release 0.59.0 and the latest code in the repository. Evince, xpdf are also affected. A pdf file has been attached to help to reproduce this vulnerability.
Fixed, thanks.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.