oCERT-2009-016 Poppler, xpdf integer overflow during heap allocation

Description:

Poppler and Xpdf are two popular open source projects for processing PDF files. Both projects are vulnerable to an integer overflow during heap memory allocation when processing a PDF file. In general, this results in unexpected process termination. If an application using this code is multi-threaded (or uses a crash signal handler), it may be possible to execute arbitrary code.

The vulnerability resides in the object stream handler. In particular, a multiplicative overflow occurs when a large number of embedded objects are specified. An overflow check was in place in the code, but it only protected related calls to gmalloc(). The C++ object array allocation code (new[]) is not guarded by the upper bound check and the call to new[] does not result in an exception with gcc. This results in bytes being written after the valid heap allocation during object construction. This results in bytes being written after the valid heap allocation during object construction.

Both software packages have released fixed versions which limit the allowed object count to a domain specific value.

A detailed analysis has been made available by the reporter.

Affected version:

Poppler < 0.12.1

Xpdf < 3.02pl4Fixed version:

Poppler >= 0.12.1

Xpdf >= 3.02pl4

Credit: vulnerability report and proof-of-concept received from Chris Rohlf <chris.rohlf AT gmail.com>.

CVE: CVE-2009-3608

Timeline:

2009-09-04: vulnerability report received
2009-09-17: proof of concept received from reporter
2009-09-21: impact reviewed
2009-09-29: contacted poppler maintainer
2009-09-29: vendor-sec notified
2009-09-30: vendor-sec discussion expanded to include xpdf maintainer
2009-10-02: final fix agreed upon by both maintainers
2009-10-12: CVE assigned by Tomas Hoger of RedHat
2009-10-14: fixed Xpdf released
2009-10-18: fixed Poppler released
2009-10-21: advisory published

References:
Related Matasano C++ challenge
Related Matasano C++ challenge conclusion
Xpdf CHANGES