Bug 1082836 (CVE-2018-7452)

Summary: VUL-1: CVE-2018-7452: xpdf: A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc allows attackers to launch denial of service via a specific pdf file
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Peter Simons <peter.simons>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: pgajdos, rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/200812/
Whiteboard: CVSSv3:SUSE:CVE-2018-7452:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1133493    
Attachments: testcase

Description Karol Babioch 2018-02-26 12:56:08 UTC 
CVE-2018-7452

A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc in xpdf
4.00 allows attackers to launch denial of service via a specific pdf file, as
demonstrated by pdftohtml.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7452
http://www.cvedetails.com/cve/CVE-2018-7452/
Comment 1 Peter Simons 2018-06-21 09:24:34 UTC 
We have no applicable patch for the 0 page PDF issue. Upstream has apparently fixed it in their own source code, but they did not make the change available.
Comment 2 Petr Gajdos 2023-06-08 10:35:32 UTC 
Assumed testcase
https://github.com/skysider/FuzzVuln/blob/master/xpdf_pdftohtml_null_pointer_dereference_JPXStream_readCodestream.pdf

Only 12/poppler crashes with

==30008== Invalid read of size 4
==30008==    at 0x4F9BFCB: XRef::getNumEntry(long long) (XRef.cc:1303)
==30008==    by 0x4F7D3ED: Lexer::getObj(Object*, char const*, int) (Lexer.cc:594)
==30008==    by 0x4F87B7D: Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:245)
==30008==    by 0x4F88257: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:131)
==30008==    by 0x4F9AB8B: XRef::readXRef(long long*, std::vector<long long, std::allocator<long long> >*, std::vector<int, std::allocator<int> >*) (XRef.cc:551)
==30008==    by 0x4F9ADA8: XRef::XRef(BaseStream*, long long, long long, bool*, bool) (XRef.cc:342)
==30008==    by 0x4F8BECE: PDFDoc::setup(GooString*, GooString*) (PDFDoc.cc:262)
==30008==    by 0x4F8C0F7: PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) (PDFDoc.cc:167)
==30008==    by 0x4F80A34: LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) (LocalPDFDocBuilder.cc:31)
==30008==    by 0x406C05: main (pdftohtml.cc:242)
==30008==  Address 0x1c is not stack'd, malloc'd or (recently) free'd


11/xpdf is not maintained anymore.
Comment 3 Petr Gajdos 2023-06-16 05:53:00 UTC 
Segfault fixed in sr#301260. It is probably unrelated to this CVE.
If I should supplement the submission somehow, let me know.
Comment 7 Petr Gajdos 2023-07-27 14:52:36 UTC 
Created attachment 868461 [details]
testcase
Comment 9 Robert Frohl 2023-09-14 13:50:16 UTC 
severity does not qualify this issue for the remaining affected product, closing