There is an invalid memory access in the function TextString::~TextString() located in Catalog.cc in Xpdf 4.0.2. It can be triggered by (for example) sending a crafted pdf file to the pdftohtml binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Weakness
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xpdf | Xpdfreader | 4.0.2 (including) | 4.0.2 (including) |
| Ipe | Ubuntu | bionic | * |
| Ipe | Ubuntu | focal | * |
| Ipe | Ubuntu | groovy | * |
| Ipe | Ubuntu | hirsute | * |
| Ipe | Ubuntu | impish | * |
| Ipe | Ubuntu | kinetic | * |
| Ipe | Ubuntu | lunar | * |
| Ipe | Ubuntu | mantic | * |
| Ipe | Ubuntu | oracular | * |
| Ipe | Ubuntu | plucky | * |
| Ipe | Ubuntu | trusty | * |
| Ipe | Ubuntu | xenial | * |
| Poppler | Ubuntu | trusty | * |
| Xpdf | Ubuntu | hirsute | * |
| Xpdf | Ubuntu | impish | * |
| Xpdf | Ubuntu | trusty | * |
| Xpdf | Ubuntu | xenial | * |
Potential Mitigations
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable’s type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Related Attack Patterns
References
- https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=42028
- https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=42028