An issue was discovered in Xpdf 4.00. catalog->getNumPages() in AcroForm.cc allows attackers to launch a denial of service (hang caused by large loop) via a specific pdf file, as demonstrated by pdftohtml. This is mainly caused by a large number after the /Count field in the file.
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xpdf | Xpdfreader | 4.00 (including) | 4.00 (including) |
| Ipe | Ubuntu | bionic | * |
| Ipe | Ubuntu | cosmic | * |
| Ipe | Ubuntu | disco | * |
| Ipe | Ubuntu | eoan | * |
| Ipe | Ubuntu | groovy | * |
| Ipe | Ubuntu | hirsute | * |
| Ipe | Ubuntu | impish | * |
| Ipe | Ubuntu | kinetic | * |
| Ipe | Ubuntu | lunar | * |
| Ipe | Ubuntu | mantic | * |
| Ipe | Ubuntu | trusty | * |
| Ipe | Ubuntu | xenial | * |
| Libextractor | Ubuntu | cosmic | * |
| Libextractor | Ubuntu | disco | * |
| Libextractor | Ubuntu | eoan | * |
| Libextractor | Ubuntu | groovy | * |
| Libextractor | Ubuntu | hirsute | * |
| Libextractor | Ubuntu | impish | * |
| Libextractor | Ubuntu | trusty | * |
| Libextractor | Ubuntu | xenial | * |
| Xpdf | Ubuntu | cosmic | * |
| Xpdf | Ubuntu | trusty | * |