1082836 – (CVE-2018-7452) VUL-1: CVE-2018-7452: xpdf: A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc allows attackers to launch denial of service via a specific pdf file

Bug 1082836 (CVE-2018-7452) - VUL-1: CVE-2018-7452: xpdf: A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc allows attackers to launch denial of service via a specific pdf file

Summary: VUL-1: CVE-2018-7452: xpdf: A NULL pointer dereference in JPXStream::fillRead...

Status:	RESOLVED FIXED

Alias:	CVE-2018-7452

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Peter Simons
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/200812/
Whiteboard:	CVSSv3:SUSE:CVE-2018-7452:3.3:(AV:L/...
Keywords:

Depends on:
Blocks:	1133493
	Show dependency tree / graph

Clone This Bug

Reported:	2018-02-26 12:56 UTC by Karol Babioch
Modified:	2023-09-14 13:50 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
testcase (220.65 KB, application/pdf) 2023-07-27 14:52 UTC, Petr Gajdos	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-02-26 12:56:08 UTC

CVE-2018-7452

A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc in xpdf
4.00 allows attackers to launch denial of service via a specific pdf file, as
demonstrated by pdftohtml.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7452
http://www.cvedetails.com/cve/CVE-2018-7452/

Comment 1 Peter Simons 2018-06-21 09:24:34 UTC

We have no applicable patch for the 0 page PDF issue. Upstream has apparently fixed it in their own source code, but they did not make the change available.

Comment 2 Petr Gajdos 2023-06-08 10:35:32 UTC

Assumed testcase
https://github.com/skysider/FuzzVuln/blob/master/xpdf_pdftohtml_null_pointer_dereference_JPXStream_readCodestream.pdf

Only 12/poppler crashes with

==30008== Invalid read of size 4
==30008==    at 0x4F9BFCB: XRef::getNumEntry(long long) (XRef.cc:1303)
==30008==    by 0x4F7D3ED: Lexer::getObj(Object*, char const*, int) (Lexer.cc:594)
==30008==    by 0x4F87B7D: Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:245)
==30008==    by 0x4F88257: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:131)
==30008==    by 0x4F9AB8B: XRef::readXRef(long long*, std::vector<long long, std::allocator<long long> >*, std::vector<int, std::allocator<int> >*) (XRef.cc:551)
==30008==    by 0x4F9ADA8: XRef::XRef(BaseStream*, long long, long long, bool*, bool) (XRef.cc:342)
==30008==    by 0x4F8BECE: PDFDoc::setup(GooString*, GooString*) (PDFDoc.cc:262)
==30008==    by 0x4F8C0F7: PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) (PDFDoc.cc:167)
==30008==    by 0x4F80A34: LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) (LocalPDFDocBuilder.cc:31)
==30008==    by 0x406C05: main (pdftohtml.cc:242)
==30008==  Address 0x1c is not stack'd, malloc'd or (recently) free'd


11/xpdf is not maintained anymore.

Comment 3 Petr Gajdos 2023-06-16 05:53:00 UTC

Segfault fixed in sr#301260. It is probably unrelated to this CVE.
If I should supplement the submission somehow, let me know.

Comment 7 Petr Gajdos 2023-07-27 14:52:36 UTC

Created attachment 868461 [details]
testcase

Comment 9 Robert Frohl 2023-09-14 13:50:16 UTC

severity does not qualify this issue for the remaining affected product, closing