Headline

CVE-2023-3436: xpdf-4.04/xpdf/XRef.cc: XRef::getObjectStreamObject - forum.xpdfreader.com

Xpdf 4.04 will deadlock on a PDF object stream whose “Length” field is itself in another object stream.

1 year ago

The program seems to be stuck waiting for a lock while executing the XRef:: getObject StreamObject function. I am not sure if this is a deadlock issue and if it is an error

version:4.04
reproduce: pdftotext poc.pdf poc.txt
My system OS：Ubuntu 22.04
My Compilation Process：

mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release …
make
sudo make install
pdftotext poc.pdf poc.txt

Code: Select all

Program received signal SIGINT, Interrupt.
__lll_lock_wait (futex=futex@entry=0x55555578a6a0, private=0)
    at lowlevellock.c:52
52  lowlevellock.c: 没有那个文件或目录.
(gdb) bt
#0  __lll_lock_wait (futex=futex@entry=0x55555578a6a0, private=0)
    at lowlevellock.c:52
#1  0x00007ffff7f9d0a3 in __GI___pthread_mutex_lock (
    mutex=mutex@entry=0x55555578a6a0) at ../nptl/pthread_mutex_lock.c:80
#2  0x000055555568d140 in XRef::getObjectStreamObject (
    this=this@entry=0x55555578a020, objStrNum=358, objIdx=5, 
    objNum=objNum@entry=361, obj=obj@entry=0x7fffffffdc60)
    at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/XRef.cc:1304
#3  0x000055555568d797 in XRef::fetch (this=0x55555578a020, num=361, gen=0, 
    obj=0x7fffffffdc60, recursion=1)
    at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/XRef.cc:1266
#4  0x0000555555672161 in Object::dictLookup (this=0x7fffffffde50, 
    recursion=1, obj=0x7fffffffdc60, key=0x5555556c8d07 "Length")
    at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Object.h:267
#5  Parser::makeStream (this=0x5555557d7170, dict=0x7fffffffde50, fileKey=0x0, 
    encAlgorithm=cryptRC4, keyLength=0, objNum=205, objGen=0, recursion=1)
    at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Parser.cc:175
#6  0x0000555555672a52 in Parser::getObj (this=this@entry=0x5555557d7170, 
    obj=obj@entry=0x7fffffffde50, simpleOnly=simpleOnly@entry=0, fileKey=0x0, 
    encAlgorithm=cryptRC4, keyLength=0, objNum=<optimized out>, 
    objGen=<optimized out>, recursion=<optimized out>)
    at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Parser.cc:103
#7  0x000055555568d865 in XRef::fetch (this=0x55555578a020, num=205, gen=0,

Unfortunately, even if the test file is compressed, it still exceeds 600KB. Can you increase the upload file size limit on the forum? Or there are other ways to transfer files to you

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

3 days ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux #dos #pdf