The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes.

*   Details
*   Reviews
*   Installation
*   Development

This WordPress plugin started as a portable, cross-platform system that  
the Wendell Free Library could use as a transition system from its current  
paper card based circulation system to the system that will eventually  
be rolled out by the regional library system. It has ‘morphed’ to a  
web-based successor to Deepwoods Software’s Home Librarian 3 system.

This plugin implements a simple and basic, web-based, library catalog  
and circulation system. There are short codes that can be added to  
pages of a WordPress site to search and display items in the library  
collection. And there are back-end (admin) pages that implement  
management of the collection, management of patrons (users) of the  
library, as well as implementing the functionality of a circulation  
desk.

The plugin can be installed by uploading the Zip file to the plugin  
installer or unpacking the zip file under the plugins directory.

There are some options that can be set, but these options are not needed  
for basic operation. There are three short codes that can be added to  
pages or posts for front end searching and display of your library  
collection and there are a number of back-end (dashboard) pages for all  
of the management of your library.

Please read the PDF User Manual (also available in  
Italian) for complete documentation on using this plugin. This  
is a fairly non-trivial plugin, and there is not a simple quick-start guide  
for the impatient. The user manual files are 1548805 bytes long for the  
Italian version and 1548666 for the Englist version and MD5 sums are  
available. If you are having trouble opening the PDFs,  
please check the size and the MD5Sum. If the size is right and the MD5Sum is  
right, try another PDF viewer.

Support is handled either with \[Deepwoods Software’s Bugzilla\]\[bugreport\]  
(submit any bugs and feature requests to the Bugzilla) or though the  
\[Deepwoods Software’s Support page\]\[support\] (use this for comments or  
for general questions).

You’ve successfully installed the Web Librarian, but none of the admin  
menus (Patrons, Collection, Circulation Types, Circulation Desk, or  
Circulation Stats) show up. Why is this? This is because you are  
probably logged in as the web site administrator (your user role is  
Administrator). You need to create at least a user with a user role of  
Librarian and then log in as this user. Optionally, you can also  
create users with roles of Senior Aid or Volunteer, who have lesser  
privileges — these latter users make sense if you are a large enough  
library that has additional staff (“Senior Aid”) or uses additional  
workers (“Volunteer”) who man the circulation desk(s). It is important  
to read the subsection titled “User Role Setup” in the “Installation and  
basic setup” section _carefully_ and to be sure you understand it fully.

**Which stylesheet (CSS) selectors can I use to modify the appearance of the front end?**

This is described in the appendix of the user manual.

**I am having a problem with the bulk upload.**

Here are some tips relating to problems with bulk uploading a collection:

If you export a CSV file from Excel (and probably other ‘modern’ spreadsheet  
programs as well), you should check the resulting CSV file with a _plain text_  
editor. Things to look for include extra commas at the ends of lines  
(‘phantom’ or empty columns) and strange characters, partitularly in the  
headings and in barcodes (if you using your own barcodes).

Other issues involving issues with newline characters. Most of the time  
WordPress will be running on a LAMP server (a Linux machine). Linux uses the  
linefeed character (ASCII 10, Ctrl-j) as newline character. MS-Windows uses a  
two character sequence for newlines: carriage return (ASCII 13, Ctrl-m)  
followed by a linefeed (ASCII 10, Ctrl-j). MacOSX uses just a carriage  
return (ASCII 13, Ctrl-m). Web browsers are _supposed_ to normalize uploaded  
plain text files, but sometimes this does not happen. It might be necessary  
to fix things in advance of uploading.

Finally, try your upload in _small_ chunks, at least until you get the process  
worked out. Remember that most WordPress (PHP) installs have a limit on the  
maximum size of uploaded files, so a really large database is going to have be  
uploaded in chunks anyway.

**How do I check an item out?**

In order to check an item out, you need to load a patron record into the  
circulation desk page. You can use the “Find Patron” button to search the  
patrons by name and then select the proper result from the list of results  
in the drop down and then click the “Lookup Patron” to load that patron’s  
record. You can then enter the item’s barcode in the item barcode field and  
click the “Checkout” button. It is possible to pre-load the item barcode  
field before looking up the patron.

**Search does not work – sends me back to my home page**

This is caused by a conflict with permalinks and form handling. Answered in  
the support forum on the WordPress site:

https://wordpress.org/support/topic/search-doesnt-work-7

I’d suggest this solution:

Change your site’s permalink settings: on the dashboard select  
Settings->permalinks, then select something other than the ‘default’.

**I cannot open the user manual, it appears to be corrupt**

Please check the size of the PDF (1548805 for user\_manual\_IT.pdf and 1548666  
for user\_manual.pdf) and also check the MD5 sum to make  
sure you properly downloaded the file. The correct download urls are:

User Manual (English):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual.pdf

User Manual (Italian):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual\_IT.pdf

**Something does not work. What should I do?**

Submit a bug at \[Deepwoods Software’s Bugzilla\]\[bugreport\].

**I have another question that is not listed here. What should I do?**

Submit one on Deepwoods Software’s Support page. You can  
also submit a documentation bug at Deepwoods Software’s Bugzilla  
as well.

Dear Robert, Truly value your exertion in making this module. Good to run an online library. We have effectively setup and propelled a free online library for our group. Great work. We created a new theme on your work and its all thanks to your work. Web Librarian Much thanks 🙂

As a non-lending family history society, we wanted a plugin which would enable members to search the library catalogue and display results. We did not require the circulation side of it as we don't lend materials. We also wanted the ability to enter the category and subject so have added those to the database\_code\_php so that the librarian can select from each without having to retype every time. The librarian can export to a CSV file (already provided), and can now search the collection using Title, ISBN, Keyword, Call Number etc and sort on those headings as well. This has the bones of a good program for our needs and I had searched long and hard before downloading this one.

I tried loading this onto a subdomain site with the theme ‘Evolve'. Each time the plugin uploaded and activated, but soon as I added a library user the subdomain site and my main site froze. I had to delete the plugin in order to restore. Maybe this is a good plugin but not for me. I have no option but to look for an alternative.

Read all 12 reviews

“WebLibrarian” is open source software. The following people have contributed to this plugin.

Contributors

*    Robert Heller

**3.5.8.1**

Updated .pot file.

**3.5.8**

Minor bug fixes.

**3.5.7**

Fixed collection sorting.

**3.5.6**

Fixed missing ; in short\_codes.php.

**3.5.5**

Fix CVE-2019-1010034.

**3.5.4**

Add loading of base jQuery, in case the theme does not load it.

**3.5.3**

Perform length check and truncation in WEBLIB\_ItemInCollection::upload\_csv().

**3.5.2**

Removed extra dollar sign in database\_code.php.

**3.5.1**

Small bug — fix small edit error in WEBLIB\_AdminPages constructor.

**3.5**

Changed the localization slug from web-librarian to weblibrarian to conform  
with https://make.wordpress.org/meta/handbook/documentation/translations/

**3.4.8.7**

Fix yet another XSS problem in front end short codes.

**3.4.8.6**

Fix additional XSS problems in front end short codes.

**3.4.8.5**

Fix XSS problem in front end short codes.

**3.4.8.4**

Fix pubdate error in short codes.

**3.4.8.3**

Corrected ordering of fields in long format short code.

**3.4.8.2**

*   Make date display and entry in forms consistent.

**3.4.8.1**

*   Remove USA specific State check (required two letter state).

**3.4.8**

*   Relaxed the State, Zip, and Telephone fields of patrons to allow for non-USA users.

**3.4.7**

*   Fix small error handling code in WEBLIB\_Patrons\_Admin.php.

**3.4.6**

*   Changed to use PHP5 constructors in Widget classes (WP\_Widget).

**3.4.5**

*   Changed split() in includes/WEBLIB\_Patrons\_Admin.php to explode().

**3.4.4**

*   Added Czech language files.

**3.4.3**

*   Added Brazilian Portugese language module.

**3.4.2**

*   Minor bugfix for Patron Short Codes: removed unused functions and removed  
    references to undefined members (leftovers from copying ListTable code from  
    Admin land).

**3.4.1**

*   Added check for patron insertion falure.

**3.4**

*   Added short codes to put patron edit functions on the front side: editing  
    patron contact info along with hold and circs handling. This allows use with  
    plugins like WooCommerce that redirect away from the “normal” WP Admin  
    Dashboard.

**3.3**

*   Secure data export code: convert to use admin-post.php.
*   Secure AWS code: convert to use admin-post.php and admin-ajax.php
*   Move AJAX code to proper WP coding (using admin\_ajax.php).

**3.2.10.14**

*   Add ‘view\_admin\_dashboard’ cap. to Librarian, Senior Aid, and Volunteer, to allow usage with WooCommerce.

**3.2.10.13**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::single\_row\_columns()).

**3.2.10.12**

*   Add auto truncation of collection fields to prevent database errors.

**3.2.10.11**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::get\_column\_info()).

**3.2.10.10**

*   Fix minor error (unset variable).

**3.2.10.9**

*   Fix errors in cirlist code (fun with changed WP\_List api…).

**3.2.10.8**

*   Moved URL defines to the constructor. And updated tested to version.

**3.2.10.7**

*   Fix incrstring — MySQL uses case folded compares for unique string keys!

**3.2.10.6**

*   Add wildcards to username search in add patron id.

**3.2.10.5**

*   Fix small bug in Add Patron ID page: wrong page id in search form.

**3.2.10.4**

*   Minor stylesheet fix (#overdue => span.overdue).

**3.2.10.3**

*   Minor documentation update.

**3.2.10.1**

*   Handle Excel extra column stupidity.

**3.2.10**

*   Fix problems with generated barcodes during bulk uploads.

**3.2.9.9**

*   Include medium and large image in AWS item loopup and make them available for insertion

**3.2.9.8**

*   Fix bug in autobarcode generator code. (Stupid SQL ‘order by’!).

**3.2.9.7**

*   Updated AWS Locale endpoints.

**3.2.9.6**

*   Fix missing name attribute in short code.

**3.2.9.5**

*   Remove two small short tags.

**3.2.9.4**

*   Comment out ALL debug code (silly IIS).

**3.2.9.3**

*   Fix minor bug in patron admin code (wrong page name).

**3.2.9.2**

*   Workaround for missing localization function (nl\_langinfo()).
*   Fix missing localization function call (missing \_’s).

**3.2.9.1**

*   Fix typo in the readme.txt file.

**3.2.9**

*   Contextual help translated to Italian (completed).

**3.2.8.3**

*   Update when styles are enqueued.
*   Contextual help translated to Italian (in progress).

**3.2.8.2**

*   Updated readme: Fixed Changelog section (too many =’s!).  
    Added link for user manual (in English and Italian).
*   Updated user manual to include style sheet information for front side  
    styling.

**3.2.8.1**

*   Added hook to allow for localized contextual help.
*   Fixed minor localization bug.

**3.2.8**

*   Move user manual to assets.
*   Small fix to options page: allow for blank AWS options.

**3.2.7.7**

*   Front side update: minor short code updates.

**3.2.7.6**

*   Front side update: short codes and front style sheet updates.

**3.2.7.5**

*   Localization updates. Minor database update.

**3.2.7.4**

*   Localization updates, including localized date validation.

**3.2.7.3**

*   Localization updates.

**3.2.7.2**

*   Added missing style definition for weblib-item-table.

**3.2.7.1**

*   Changed default for publication date to 1900-01-01 to deal with possible  
    MySQL/PHP error on activation (out of range default for publication date).

**3.2.7**

*   Fixed up the jQuery UI, smoothed out the rough edges (eg got all of the  
    proper stylesheet and image support). Additional (minor) localization  
    updates.

**3.2.6.1**

*   Way too much fun with resizable iframes and jQuery: put the Amazon search  
    thingy in an iframe and put the iframe into a resizable (via jQuery) div.  
    sort of works, but still a little funky.
*   Fixed various minor typos: broken tags, spelling errors, missing  
    localizations.

**3.2.6**

*   Changed AWS insert buttons to be a small icon instead of “bulky” text buttons
*   Updated localization, added Italian translation.

**3.2.5.3**

*   Add insert / add buttons to Amazon item loopup. (Experimental!)

**3.2.5.2**

*   Remove roles on deactivate.
*   Make title the default on Amazon searches.

**3.2.5.1**

*   Move loading of Localization files to the correct place

**3.2.5**

*   Added missing contextual help page.
*   Fixed silly typo error in the collection bulk delete code.

**3.2.4**

*   Added code to collection and patron delete functions to clear out orphaned  
    holds and checkouts.
*   Added Collection Database Maintenance page, containing a button to clear out  
    orphaned holds and checkouts.

**3.2.3**

*   Updated the support/donation links (added localization).
*   Added an ‘About’ page.

**3.2.2**

*   Added donation buttons and links.
*   Updated localization.

**3.2.1**

*   Minor bug fix with Call Number column.

**3.2**

*   Added Call Number column to collection database.
*   Updated localization.

**3.1**

*   Minor documentation update for the contextual help for the options page.

**3.0**

*   Major code rewrite. All of the WP\_List\_Tables redone properly and  
    separated into separate source files. Adding the per\_page screen options  
    properly.  
    Added bulletproofing to the collection import code: barcodes are now checked  
    and fixed as they are added — no more ‘broken’ databases!

**2.6.3.2**

*   Various security fixes.

**2.6.3.1**

*   Include debugging code.

**2.6.3**

*   Fixed minor bug with telephone number validation when adding patrons.

**2.6.2**

*   Fixed database creation to deal with MS-Windows / MySQL weirdness  
    (no default allowed for BLOB/TEXT — error under MS-Windows, warning  
    under Linux).

**2.6.1**

*   Add localization to the JavaScript code

**2.6**

*   Add localization to the PHP code

**2.3**

*   Fixed a SQL syntax error.
*   Added ‘upload\_files’ capability to Librarian and SeniorAid roles (allows  
    them to upload images for items in the collection).
*   Fixed the scoping of variables in the JavaScript code.

**2.2.2**

*   Added something to the FAQ section.

**2.2.1**

*   Fixed a problem with the search form short code.

**2.2**

*   Fixed a problem with short PHP tags.

**2.1**

*   Updated to include the AssociateTag parameter required by Amazon.

**2.0**

*   Initial public release.

CVE-2017-18539: WebLibrarian

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVE-2019-15216

xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, "pinch and zoom" gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger).

CVE-2016-10894: #830726 - xtrlock: CVE-2016-10894: xtrlock does not block multitouch events

A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V20.8), SIMATIC HMI Panel (incl. SIPLUS variants) (All versions), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.4.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V2.8.1), SIMATIC S7-1500 Software Controller (All versions < V20.8), SIMATIC S7-PLCSIM Advanced (All versions < V3.0), SIMATIC STEP 7 (TIA Portal) (All versions < V16), SIMATIC WinCC (TIA Portal) (All versions < V16), SIMATIC WinCC OA (All versions < V3.16 P013), SIMATIC WinCC Runtime Advanced (All versions < V16), SIMATIC WinCC Runtime Professional (All versions < V16), TIM 1531 IRC (incl. SIPLUS NET variants) (All versions < V2.1). Affected devices contain a message protection bypass vulnerability due to certain
properties in the calculation used for integrity protection.

This could allow an attacker in a Man-in-the-Middle position to modify network
traffic sent on port 102/tcp to the affected devices.

%PDF-1.5 %���� 79 0 obj << /Length 2638 /Filter /FlateDecode >> stream x��Z\[S�H~�W�Q�Z7}��v��!d+Sa�b���dK�j��Z2L����Ȗda�$� �ԧ��;\_���n"�������;A"���2�^G #-e��A��h�F��I��eE9S��I6\[-Gc"���N҇�\\� �q�:������"\]ͪӳ�<=�1���lz��# �lH1��>�����aČ�ݓw ��zM��s��Q�ߖLk�aMw����"�xD2\\����AD���ɘ2ʉ~�m���� ��z�Ő�O���e�fm\[�i$q���2����\*��mK�Ԉ�g AT�K�����2�,�� �xے��Q��i�0�E�>2� !�.ͭ0�UE��OF���� L��žp�g�|��QLwZ¨�ԘP����@6�A��%�D\*� +L �V?)�ՅB�C=���Z�v�0F�ة��.�Ž�?N!��&�/�2ĸ�ge���-� 8G�#��.Fw�� �R��?���#m��4�4������ ;�j�)���;��&w�ׁ��;\`gok�h���6����۪��,��E�7�I����\\sS�l���0��̍~������������E���M߬��r�a⧑�q�,au� {(�?�{�}�L������9)�Pg�K���"�=��s$�s���\`�E�FH��u\\���\\����w�O�ˬ���H�8�����?�L��K?��xD ��-n��6�{Qg~�k�~R��\_�/�,������n3��� B�� ?�i���c��Mw�zD�e��Iwk��!�4�y�N~�V޼{\_��#(��<�X����R��G�\`�O?�� 6����f��<��\*N�����$E�\[U�lDL�\_�,��F���O+����֖���S^�l����Z���k\[�f����c\*�B��LM3��C>�Z�d|�H��\`�U"^��r������,+u�}z ;���� :�D\\�f�� I�Y�\\����vaZ�ȃ�ˠ��rq��LƼm��d��79�U�d��囃UQ�ōqK�qg��6$�'�2�t����.��a���� 0P���� wׯ|��{m�����P�b�{���<�p�(� o�@�F�uh� ��^�L��!��?g�Iq���Z�q�\`z\\��G̺��$����1l����M�do��\_+��&vx���;����8�g�o�2Í������0�5�O?ԎdS��B��(�n��L�:�a�\[�5oG��1f �ޢ�v�&\]f7�2 h�q�s���ê��p���fy#�ˢrX�\]��#�IDT�O�ZfA���6�w¯��l�jK�I=Z,��n-F��7���?D������!A��3�1�U��2u���e �}u�ɻwg�ӳ�}����X�! ��\_P�����Av�ne1�����z��۫��G��d��P��=$P�(Q; YR�����;��9@m E?�KtV�\]j\[YЀ�՞|�p5}������F\\S؍�

CVE-2019-10929

The events-manager plugin before 5.6 for WordPress has code injection.

CVE-2015-9298: Events Manager

An issue was discovered in PDFResurrect before 0.18. pdf_load_pages_kids in pdf.c doesn't validate a certain size value, which leads to a malloc failure and out-of-bounds write.

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ enferex/pdfresurrect _base:_ v0.17

_head repository:_ enferex/pdfresurrect _compare:_ v0.18

*   11 commits
*   4 files changed
*   1 contributor

**Commits on Aug 7, 2019**

**Commits on Aug 9, 2019**

2.  Zero and extend a buffer.
    
    This should fix one of the ASAN discovered overflows in Issue #6.
    The test case is stackoverflow\_some.pdf in that issue.  Thanks
    to @rtfingc for finding and reporting this.
    

**Commits on Aug 10, 2019**

3.  Fix a memory leak.
    
    Thanks to @rtfing for pointing this out in Issue #6.  This fixes bugs
    identified by memory\_leak memleak2.pdf

CVE-2019-14934: Comparing v0.17...v0.18 · enferex/pdfresurrect

Wind River VxWorks 6.5, 6.6, 6.7, 6.8, 6.9.3 and 6.9.4 has a Memory Leak in the IGMPv3 client component. There is an IPNET security vulnerability: IGMP Information leak via IGMPv3 specific membership report.

%PDF-1.5 %���� 1 0 obj << /D \[2 0 R /XYZ 70.866 771.024 null\] >> endobj 3 0 obj << /D \[2 0 R /XYZ 70.866 623.188 null\] >> endobj 4 0 obj << /D \[5 0 R /XYZ 70.866 635.334 null\] >> endobj 6 0 obj << /D \[7 0 R /XYZ 85.039 403.552 null\] >> endobj 8 0 obj << /D \[7 0 R /XYZ 70.866 90.477 null\] >> endobj 9 0 obj << /D \[2 0 R /Fit\] /S /GoTo >> endobj 2 0 obj << /Annots \[10 0 R 11 0 R 12 0 R 13 0 R 14 0 R 15 0 R\] /Resources 16 0 R /Parent 17 0 R /Contents 18 0 R /Type /Page /MediaBox \[0 0 595.276 841.89\] >> endobj 10 0 obj << /Subtype /Link /Border \[0 0 0\] /H /I /Type /Annot /C \[0 1 1\] /Rect \[303.117 355.825 518.276 367.242\] /A << /URI (https://support.industry.siemens.com/cs/us/en/view/109740816) /Type /Action /S /URI >> >> endobj 12 0 obj << /Subtype /Link /Border \[0 0 0\] /H /I /Type /Annot /C \[0 1 1\] /Rect \[303.117 246.637 518.276 258.055\] /A << /URI (https://support.industry.siemens.com/cs/document/109740816/siprotec-5-communication-protocols) /Type /Action /S /URI >> >> endobj 15 0 obj << /Subtype /Link /Border \[0 0 0\] /H /I /Type /Annot /C \[0 1 1\] /Rect \[303.117 100.095 513.396 113.002\] /A << /URI (https://support.industry.siemens.com/cs/ww/en/) /Type /Action /S /URI >> >> endobj 19 0 obj << /Subtype /Link /Border \[0 0 0\] /H /I /Type /Annot /C \[0 1 1\] /Rect \[303.117 647.29 513.396 660.196\] /A << /URI (https://support.industry.siemens.com/cs/ww/en/) /Type /Action /S /URI >> >> endobj 16 0 obj << /Font << /F44 20 0 R /F41 21 0 R >> /ProcSet \[/PDF /Text\] >> endobj 18 0 obj << /Filter /FlateDecode /Length 2912 >> stream x��ZYs�F~ׯ�\[�\*s4���E��N%�VWj+NU �P�-Z��� �M�r� q0GOwO\_@���&�~�<8|+Y��\\'�����j��b&��&��E��ϫј�^��b4f\*-�ϡ�h���J�4�\]7#�jw��-��rR���\`����˟N.�w��!��5������o��d c?%�g�'?�!�J%�g���h����D�҄Z������"�#&��ƴ�a�F\]���J�כ1��l��F�6o�0�0�v��@k� �ĄR\] �G����<\_d7Ŭ���ڔ�{=�\]�\`�H�D��܎4�q�DAbV��(�|�sT�އsA���h��\\�08��dόޟ��ߜ�$�����"��Ui�䰎H��1Y�\*�ҲgKj�ogSn/�K {���V�PŶ1�Ą�1~R��y^o�/5D#����N۝�K�f+�@�q���q����L����=��%��a�I��������.��D�\]x���\`�qf\`x� Q�Im1 7�#��\`�nD�� �\`{�bF�����ε b���s z�b'�C�\[��I��Χ��ħbu���=�2fN��܁E�@�l�AǬ�@7�du����<唹1�c�q

CVE-2019-12265

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.

    An issue was discovered in poppler 0.74 and 0.78, There is a/an FPE in function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc:4625-28

    pdftoppm -cropbox -gray @@

    Program received signal SIGFPE
    pwndbg> p result_width
    $1 = 0
    pwndbg> p surface_width
    $2 = 0

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==29151==ERROR: AddressSanitizer: FPE on unknown address 0x7fea8ca05ae8 (pc 0x7fea8ca05ae8 bp 0x7ffc75bb6b00 sp 0x7ffc75bb6620 T0)
        #0 0x7fea8ca05ae7 in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, Object*, double const*, int, int, Dict*, double const*, double const*, int, int, int, int, double, double) /src/poppler-0.74/poppler/SplashOutputDev.cc:4625:28
        #1 0x7fea8c4e93be in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /src/poppler-0.74/poppler/Gfx.cc:2225:9
        #2 0x7fea8c4e6646 in Gfx::doPatternStroke() /src/poppler-0.74/poppler/Gfx.cc:1967:5
        #3 0x7fea8c4a3544 in Gfx::opStroke(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:1774:2
        #4 0x7fea8c4df66f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
        #5 0x7fea8c4db707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
        #6 0x7fea8c4da5b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
        #7 0x7fea8c4e52f5 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4841:3
        #8 0x7fea8c5163ad in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3
        #9 0x7fea8c49d0fd in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2
        #10 0x7fea8c4df66f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
        #11 0x7fea8c4db707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
        #12 0x7fea8c4da5b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
        #13 0x7fea8c71514c in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:548:10
        #14 0x7fea8c7328b1 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:665:20
        #15 0x521264 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /src/poppler-0.74/utils/pdftoppm.cc:287:8
        #16 0x521264 in main /src/poppler-0.74/utils/pdftoppm.cc:600
        #17 0x7fea8ad9882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #18 0x41b838 in _start (/src/aflbuild/installed/bin/pdftoppm+0x41b838)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /src/poppler-0.74/poppler/SplashOutputDev.cc:4625:28 in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, Object*, double const*, int, int, Dict*, double const*, double const*, int, int, int, int, double, double)
    ==29151==ABORTING
    

    from fuzz project pwd-poppler-pdftoppm-01
    crash name pwd-poppler-pdftoppm-01-00000088-20190427.pdf
    Auto-generated by pyspider at 2019-04-27 20:37:40

CVE-2019-14494: A FPE in function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc:4625-28 (#802) · Issues · poppler / poppler · GitLab

A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.

%PDF-1.4 %���� 1 0 obj << /Type /Page /MediaBox \[ 0 0 595.28 841.88 \] /Resources << /Font << /F1 2 0 R /F2 3 0 R /F3 4 0 R >> /XObject << /img0 5 0 R /img2 6 0 R /img4 7 0 R >> >> /Contents 8 0 R /Parent 9 0 R /Rotate 360 >> endobj 2 0 obj << /Subtype /Type1 /Type /Font /BaseFont /Helvetica /Encoding /WinAnsiEncoding >> endobj 3 0 obj << /Subtype /Type1 /Type /Font /BaseFont /Helvetica-Oblique /Encoding /WinAnsiEncoding >> endobj 4 0 obj << /Subtype /Type1 /Type /Font /BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding >> endobj 5 0 obj << /ColorSpace /DeviceRGB /Subtype /Image /Height 1186 /Filter /DCTDecode /Type /XObject /Width 1186 /BitsPerComponent 8 /Length 207591 >> stream ����ExifII\*��Ducky<���http://ns.adobe.com/xap/1.0/ Print ��HPhotoshop 3.08BIMZ%G8BIM%���ȷ�x/4b4Xw���Adobed����      �������   !1AQaq�"2��BRbr�#т��s��7�3CS��$Tt�U6��c�4�u�უD�%5���ĤFVdE!1AQaq���"2��3��BR���br#�C���?���wE����8K�������������������������������������������������������������������������������������������������������������������������������������������������������-p��\_��\]܄~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~��k��:�N�� ���\\?���p�w!w�Z��ο����'����y}���#{ȋ�s̅��0 p�Pw�ϱ�\]R���3�M�g�^ �fb�(븝; 6�D����6����U�e�g5�f4������D꫕���������������������������������������������������������������������������-p��\_��\]܄~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+}3�.\`d���ɠ�qG,v�a���sR'I�{����J��߆��s��X�Y�#����q��<\`V�T��%m�by��u&&u���>��B����s�\\b����!�T�M�/j�W.�:pw��g6q��5g�-���������S���K�A�(F𺹈;����u��%��@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@A�4��:Wm)��۹����7��X����k�Yiqi�y:˓���kS��xېm�F��\[��w��e�m�ۮ��k7�o\\�˳�������������������������������������������������������������������������-p��\_��\]܄~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~�s9�clP�\\G�J�����8�>��5��#������n#���ϥ\]%i�J�����k.�i���W�K��\]��> =�����P�M�i /j�N^>I����͛~���i\] '��G��� o�o9x6֧z�� ���\\?���p�w!����P~J��T��}�>��R���������(���������ƴ�Aw�Z��ο����&��:�V��V���Oo��Z�l=���wj������x��'��8�\_���e��o��K������68�v\\Gq�K���o�>�4�\[m���^:����e�p\_d\]�Kl�+gd���@�p5�����Dj�d����� uf/1�nj�:��ZYp֎� .�1��+��u�y��,��Nm���>hVkC�Y�;����u��%��@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Ag�K�Qꌓ��X��x���D\\ON!�h ��:J��\[ߵ^��S�Bn�m�:����<��h\\tQ�=����2"F4P9�W�� �J\]�������q\\Q��G9-�\]K�r��夌Al�mm��Bj��Y�H�;Ja�z|uq��-�gWo���5�t�9<<���^Eqc^�1��-xp���۰W&N�G w�mJk\_7/�<��ǉ�����BXOqpGC8�,�$נ�.���8���k�Þ�{�<,��㕶ε�Waa���۰Q�a�;Z79��z\]�;f�u�v�~N;��i�\_j�Wʡw�Z��ο����6o/��X ��1��EpGL�9O�q�,n�/��kzZ<�)��>Ei}C����Y7��;�������\`08��lT�=����WH��n96U��������>W�4T���.�u�X�E��x2�8{����+��{|�Q<�0m��\]5���\]���q��K<6홳��9��{$���=���m�\]5{͆2WIA��ߢ���C���,N�F�n�4�D\*t����b������o�شi�F��1>>�n�dio�� o�7�\*��:��8i,W�����<�%ğa��8�s��m �a��H��3Yi�i�'1uxwE����8K���������������������������������������������������������������������و��3�c�ϻ���8c=��:I���+H�Ӥ=R�i�8�ƇÏ0$��l|2R����/�U�9������������&�6�ҙ�1�e�z���'��Ad�i�Fծ��\*v,��\]i(�1Z����5��B�Ie�oᾷ��{Yk���/5��v��Y�brV-�XhsL�&c���oξl�O��$�=��mm\*�8Ѡ}OI+K=�o����K̳�\_�O���eƪ�6��& /���iV3�lm�\`���,�H��Lu��W4ֵ���c�G��LU�7l~�jc��>��{A飚����篽�����,������3��p�y��-\_FJ-m�7�<}O�i:7-�g��H�W��5F\]�jZk3�B�䮢Ԛ�Gɓ���\]̗���^�8���\`�5�����Tw4Ǔ���h���魼�W3�nl�,qvﺺ�ጎ�W�ų��R�vW�m�6�#E^�l����r���i$�����<�<�;+r3�w|1:q�c�v��>�Ѻ�K޶�5f�g� �J�G �c�V�Wh�:T��e�k:���jN��vswE����8K������������������������������������������������������������������S��^f5�UֶdAg{|�\\Ț�� �Ou66���� u�~�ol��r^v^46�e˯.��Δ2���h\*;w|�<4��v�qu@���Y0X��:zyo,-�}դ�3F����44=��5�O��O�=7�(���DuW�&��ͥ��9��o��H;�/1����c�����m��©\]�E:�e��"q��Q>\*,S�l,�u�������w�q�І����ؽ��3l}\]ZL�<��\[�M9���u����t�6�p���i�ݴ$5��\]�qP���Mg��N�d���oe�����S^El�/d�7��q�i!����-�o3^Z�u�OLD�TX���\[i���B�+���{�wQL$le�GiUo~��5��1��� ��bxD������U��?���Gr���0c^�!��ql�P�~⸲knZh���9)�sF�˽Q�%�\_���b���^O����4R�n��\*Os��.�^:x��v���o��k Ls�{H��ݽ�.%���:W͟q�t�L�7;9�mbV.�Ӷ�wN�am�vq9������Oq\*�>Y�y���b��V<�\]�+�K9��%���哽���e������®&�:Ԥ��Qz֕�k����f���Q�Y���n0�b�{me)���J�����xͤT�oRpv��8�Γ<�r���MtL5��4���5��cg#k^#�"{zEF��HP��-�,z�������(rZώ�y���:㇊I^6���A���\`�گ�����l��m''U\[�÷/����S���z���\_�U�k��X���T����GGF2Vs���i,.q�D�l �;+m������nv���q��V(b�����' wrX�K�z�PZ2�A.�Q�����i����M>u;v~���O�3���yC���۫mm�.:��"����;f��U��叼c����׈�1+c�b�O�K\[{�WZd�%�{؞����rcUOq�2���X䟳�4��8�yͭqq�o��J�ics$6��8��؜X�z�4�⪻��1F8�"faY�uy��:h��\]���F���dX=���3�7���Y��J�i��T;�1�,ּ��l�zD�4�P �DHV��Bh����5,�2�S=݄nh�Ix�x��hy��>J+,}�%)�Ç��4���K���0��5�\`V̦�H+q�f�Glf\*��\]�ߺY�s"����4��9��� t�>߱����L ��S��sGyY�<�\_PA��L�Om<��7�se�C^�xHu(o�'}�+Ju����k����o�ւ �R�'Ig��s�sn뇉/-as%K�-.o§��p�<���N���li{u,K{x-�ⷁ�8!cc�6�k(�<�\*����R�4����b�/Yy��q�7gcK��q�+�h�7�N�2���1��Te�k����?�xk�w>�)����V��~����ޡ�ד�\]&��8�f���ƶG@v�:��zX�l=af�~�^�o���>�>?� N�{��H{��"=�e�/��W��|�����2��������s�ϸ����C\*L�3>+\_�'z������:Z&��;}�5�\*�x&��H'��O�%���sM\\�AV�:� ���wE����8K�����������������������������������������������������������������^���:�K|�%�.?j|N����\\:�x��U��q8���n �,Q{����|ӵ��E���^:��1���HF�W\`b���<��ag��F(�E9w���y�|>~�W޿�����k�4cǹ��>�!��:�n�TR�jLΞh�}�U��s\] �d�jnJh}C�vZ�)��w�md�gt��-v��\[J��{�\\u�4Dɳ��YL���~'>��YZ�2���h������7���I�b��rF57�}�.��+������uz���i�� V-�k򮞾7x��U�\_���K���I �2�J#�c�?�Ն>�?�or%��xB#���+�}��؍�=�

CVE-2019-12797

The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.

*   poppler
*   **NEWS**

*   

To find the state of this project's repository at the time of any of these versions, check out the tags.

Tag

#pdf