Bug 1113899 (CVE-2018-18650)

Summary: VUL-1: CVE-2018-18650: xpdf,poppler: Denial of service (Integer Overflow) via a crafted /Size value in a pdf file triggered in XRef::readXRefStream
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Peter Simons <peter.simons>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: pgajdos, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/217982/
Whiteboard: CVSSv3:SUSE:CVE-2018-18650:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1133493    

Description Robert Frohl 2018-10-30 09:28:31 UTC 
CVE-2018-18650

An issue was discovered in Xpdf 4.00. XRef::readXRefStream in XRef.cc allows
attackers to launch a denial of service (Integer Overflow) via a crafted /Size
value in a pdf file, as demonstrated by pdftohtml. This is mainly caused by the
program attempting a malloc operation for a large amount of memory.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18650
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18650.html
http://www.cvedetails.com/cve/CVE-2018-18650/
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41219&p=41747#p41747
Comment 3 Petr Gajdos 2023-06-12 16:39:37 UTC 
https://github.com/Krace/xpdf-poc/raw/master/xpdf-large-size.pdf

TW,15,12/poppler:

$ valgrind  -q pdftohtml xpdf-large-size.pdf
Syntax Error: Invalid 'size' parameter
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Invalid 'size' parameter
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Couldn't read xref table
$

[not reproduced]

11sp1/poppler:

$ valgrind pdftohtml xpdf-large-size.pdf   
==8868== Memcheck, a memory error detector
==8868== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==8868== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==8868== Command: pdftohtml xpdf-large-size.pdf
==8868== 
Error: Invalid 'size' parameter.
Error (0): Call to Object where the object was type 13, not the expected type 7
==8868== 
==8868== HEAP SUMMARY:
==8868==     in use at exit: 183,482 bytes in 4,081 blocks
==8868==   total heap usage: 11,031 allocs, 6,950 frees, 1,216,522 bytes allocated
==8868== 
==8868== LEAK SUMMARY:
==8868==    definitely lost: 3,041 bytes in 21 blocks
==8868==    indirectly lost: 352 bytes in 11 blocks
==8868==      possibly lost: 0 bytes in 0 blocks
==8868==    still reachable: 180,089 bytes in 4,049 blocks
==8868==         suppressed: 0 bytes in 0 blocks
==8868== Rerun with --leak-check=full to see details of leaked memory
==8868== 
==8868== For counts of detected and suppressed errors, rerun with: -v
==8868== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 5)
Aborted (core dumped)
$

[even valgrind crashes]

I think the key is, that resize(newSize) will fail.

       if (resize(newSize) != newSize) {
            error(errSyntaxError, -1, "Invalid 'size' parameter");
            return false;
        }

Notably the code is different in 11sp1/poppler:

    if (newSize >= INT_MAX / (int)sizeof(XRefEntry)) {
      error(-1, "Invalid 'size' parameter.");
      return gFalse;
    }

Didn't try to port resize() to 11sp1/poppler sofar, perhaps later.
Comment 4 Petr Gajdos 2023-06-13 06:57:00 UTC 
(In reply to Petr Gajdos from comment #3)
> 11sp1/poppler:

However, 11sp1/poppler is not maintained anymore. I suggest to close this bug.