Headline
CVE-2021-27548: xpdf 4.03 bug in pdftops
There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.
A NULL pointer dereference in the GString::getCString function in GString.h in xpdf-4.03 dirrerent viewtopic.php?f=3&t=41241&p=41808&hilit … ing#p41808.
Code: Select all
./pdftops 'null_point.pdf'
Syntax Error (92917): Command token too long
Syntax Error (93045): Command token too long
Syntax Error (93173): Command token too long
Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==15006==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x55780e688f11 bp 0x7fff1cac0d50 sp 0x7fff1cac0d40 T0)
==15006==The signal is caused by a READ memory access.
==15006==Hint: address points to the zero page.
#0 0x55780e688f10 in GString::getCString() /home/luna/test/xpdf/xpdf-4.03/goo/GString.h:83
#1 0x55780e669d32 in XFAScanner::getFieldValue(ZxElement*, GString*, GString*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:349
#2 0x55780e669bd1 in XFAScanner::scanField(ZxElement*, GString*, GString*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:333
#3 0x55780e6698a7 in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:296
#4 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
#5 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
#6 0x55780e669a1c in XFAScanner::scanNode(ZxElement*, GString*, GString*, GHash*, GHash*, GString*, ZxElement*, GHash*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:309
#7 0x55780e66849f in XFAScanner::load(Object*) /home/luna/test/xpdf/xpdf-4.03/xpdf/XFAScanner.cc:139
#8 0x55780e4ce1d9 in AcroForm::load(PDFDoc*, Catalog*, Object*) /home/luna/test/xpdf/xpdf-4.03/xpdf/AcroForm.cc:352
#9 0x55780e4f034d in Catalog::Catalog(PDFDoc*) /home/luna/test/xpdf/xpdf-4.03/xpdf/Catalog.cc:234
#10 0x55780e6276a4 in PDFDoc::setup2(GString*, GString*, int) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:318
#11 0x55780e627268 in PDFDoc::setup(GString*, GString*) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:276
#12 0x55780e626c5d in PDFDoc::PDFDoc(char*, GString*, GString*, PDFCore*) /home/luna/test/xpdf/xpdf-4.03/xpdf/PDFDoc.cc:218
#13 0x55780e4cd7fa in main /home/luna/test/xpdf/xpdf-4.03/xpdf/pdftops.cc:309
#14 0x7f7fae9130b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#15 0x55780e49106d in _start (/home/luna/test/xpdf/xpdf-4.03/build/xpdf/pdftops+0x14106d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/luna/test/xpdf/xpdf-4.03/goo/GString.h:83 in GString::getCString()
==15006==ABORTING