Xpdf 4.02 NULL Pointer Dereference

Credit: Mishra Dhiraj
Risk: High
Local: Yes
Remote: No
CWE: CWE-476

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Exploit Title: NULL pointer dereference # Exploit Author: Dhiraj Mishra # Vendor Homepage: https://www.xpdfreader.com/ # Software Link: https://www.xpdfreader.com/download.html # CVE: CVE-2019-17064 # References: # https://nvd.nist.gov/vuln/detail/CVE-2019-17064 # https://forum.xpdfreader.com/viewtopic.php?f=3&t=41890 *Summary:* Catalog.cc in Xpdf 4.02 has a NULL pointer dereference because Catalog.pageLabels is initialized too late in the Catalog constructor. *BT:* #0 0x00005555556d1dce in Catalog::~Catalog (this=<optimized out>, __in_chrg=<optimized out>) at /home/input0/Desktop/xpdf-4.02/xpdf/Catalog.cc:295 #1 0x0000555555a1b1d1 in PDFDoc::setup2 (repairXRef=0, userPassword=0x0, ownerPassword=0x0, this=0x607000000090) at /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:312 #2 PDFDoc::setup (this=0x607000000090, ownerPassword=0x0, userPassword=0x0) at /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:261 #3 0x0000555555a1bb84 in PDFDoc::PDFDoc (this=0x607000000090, fileNameA=<optimized out>, ownerPassword=<optimized out>, userPassword=<optimized out>, coreA=<optimized out>) at /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:208 #4 0x0000555555674ffb in main (argc=<optimized out>, argv=<optimized out>) at /home/input0/Desktop/xpdf-4.02/xpdf/pdfdetach.cc:119 *ASAN:* ==28603==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d7a4eaadce bp 0x6070000000dc sp 0x7ffc6078b640 T0) ==28603==The signal is caused by a READ memory access. ==28603==Hint: address points to the zero page. #0 0x55d7a4eaadcd in Catalog::~Catalog() /home/input0/Desktop/xpdf-4.02/xpdf/Catalog.cc:295 #1 0x55d7a51f41d0 in PDFDoc::setup2(GString*, GString*, int) /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:312 #2 0x55d7a51f41d0 in PDFDoc::setup(GString*, GString*) /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:261 #3 0x55d7a51f4b83 in PDFDoc::PDFDoc(char*, GString*, GString*, PDFCore*) /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:208 #4 0x55d7a4e4dffa in main /home/input0/Desktop/xpdf-4.02/xpdf/pdfdetach.cc:119 #5 0x7fd635ac1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #6 0x55d7a4e50579 in _start (/home/input0/Desktop/xpdf-4.02/build/xpdf/pdfdetach+0x123579) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/input0/Desktop/xpdf-4.02/xpdf/Catalog.cc:295 in Catalog::~Catalog() ==28603==ABORTING * To reproduce: * pdfdetach -list $POC

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top