Headline
CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler
A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
A logic error in Function Hints::Hints (poppler/Hints.cc) is found with fuzzing.
There is a check after the memory alloc and set the nPages to zero if failed:
if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) {
error(errSyntaxWarning, -1, "Failed to allocate memory for hints table");
nPages = 0;
}
But at the end of function, there is a direct call to function readTables WITHOUT the check of nPages.
I believe it should be changed to:
if (nPages != 0) {
readTables(str, linearization, xref, secHdlr);
}
Otherwise, with the attached poc.pdf, program pdftops will hang for a very long time (days), could be a DoS.
pdftops poc.pdf
Edited Mar 15, 2022 by