Описание
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| poppler | fixed | 0.81.0-1 | experimental | package |
| poppler | fixed | 0.85.0-2 | package |
Примечания
https://gitlab.freedesktop.org/poppler/poppler/issues/805
Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/68ef84e5968a4249c2162b839ca6d7975048a557 (poppler-0.79.0)
Reproducer: https://gitlab.freedesktop.org/poppler/poppler/uploads/3f22837ebd503f87e730b51221b89742/raiter_issue5465.pdf
EPSS
Связанные уязвимости
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
Уязвимость функции JPXStream::init библиотеки для отображения PDF-файлов Poppler, связанная с целочисленным переполнением значения, позволяющая нарушителю вызвать отказ в обслуживании
EPSS