#2009-016 Poppler, Xpdf integer overflows during heap allocation Description: Poppler and Xpdf are two popular open source projects for processing PDF files. Both projects are vulnerable to an integer overflow during heap memory allocation when processing a PDF file. In general, this results in unexpected process termination. If an application using this code is multi-threaded (or uses a crash signal handler), it may be possible to execute arbitrary code. The vulnerability resides in the object stream handler. In particular, a multiplicative overflow occurs when a large number of embedded objects are specified. An overflow check was in place in the code, but it only protected related calls to gmalloc(). The C++ object array allocation code (new[]) is not guarded by the upper bound check and the call to new[] does not result in an exception with gcc. This results in bytes being written after the valid heap allocation during object construction. Both software packages have released fixed versions which limit the allowed object count to a domain specific value. A detailed analysis by the reporter can be found in the References. Affected version: Poppler < 0.12.1 Xpdf < 3.02pl4 Fixed version: Poppler >= 0.12.1 Xpdf >= 3.02pl4 Credit: vulnerability report and PoC received from Chris Rohlf . CVE: CVE-2009-3608 Timeline: 2009-09-04: vulnerability report received 2009-09-17: proof of concept received from reporter 2009-09-21: impact reviewed 2009-09-29: contacted poppler maintainer 2009-09-29: vendor-sec notified 2009-09-30: vendor-sec discussion expanded to include xpdf maintainer 2009-10-02: final fix agreed upon by both maintainers 2009-10-12: CVE assigned by Tomas Hoger of RedHat 2009-10-14: fixed Xpdf released 2009-10-18: fixed Poppler released 2009-10-21: advisory published References: http://poppler.freedesktop.org/ http://www.foolabs.com/xpdf/CHANGES http://chargen.matasano.com/chargen/2009/10/9/a-c-challenge.html http://chargen.matasano.com/chargen/2009/10/15/a-c-challenge-the-conclusion.html http://sites.google.com/site/em386cr/Home/CVE-2009-3608-explained.txt http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351 Permalink: http://www.ocert.org/advisories/ocert-2009-016.html -- Will Drewry http://ocert.org