Package: xpdf Version: 3.04-13 Severity: normal Tag: security On Debian Bullseye this crashes xpdf with coredump:
touch x.pdf; xpdf x.pdf Funny, after a 2-byte Virtualbox (and now qemu) crash, this is the shortest input for a DoS-bug I have seen so far :-) For xpdf this bug itself is not really a security risk: an attacker could also send a white page document or no document at all if he wants the victim not to see a document. Still someone familiar with the code should look at it, maybe some half-broken document could turn the NULL-dereference into something more useful. rax 0x0 0 0x000055555556e6d0 <+16>: je 0x55555556e6e0 <XPDFCore::loadFile(GooString const*, GooString*, GooString*)+32> 0x000055555556e6d2 <+18>: mov %ebp,%eax 0x000055555556e6d4 <+20>: pop %rbx 0x000055555556e6d5 <+21>: pop %rbp 0x000055555556e6d6 <+22>: pop %r12 0x000055555556e6d8 <+24>: retq 0x000055555556e6d9 <+25>: nopl 0x0(%rax) 0x000055555556e6e0 <+32>: mov 0x8(%rbx),%rax => 0x000055555556e6e4 <+36>: mov (%rax),%rax (doc is null) 0x000055555556e6e7 <+39>: mov (%rax),%rdi 0x000055555556e6ea <+42>: callq 0x55555557d730 <getModTime(char const*)> Relevant source: int XPDFCore::loadFile(const GString *fileName, GString *ownerPassword, GString *userPassword) { int err; err = PDFCore::loadFile(fileName, ownerPassword, userPassword); if (err == errNone) { // save the modification time modTime = getModTime(doc->getFileName()->getCString()); // update the parent window if (updateCbk) { (*updateCbk)(updateCbkData, doc->getFileName(), -1, doc->getNumPages(), NULL); } } return err; } (gdb) print doc $1 = (PDFDoc *) 0x0 If understand correctly, "PDFCore::loadFile" does not return an error when processing an empty file, but also does not set static variable "doc". This seems to be due to "xpdf/PDFCore.cc": int PDFCore::loadFile2(PDFDoc *newDoc) { int err; double w, h, t; int i; // open the PDF file if (!newDoc->isOk()) { err = newDoc->getErrorCode(); delete newDoc; return err; } ... The PDFDoc seems to come from "libpoppler.so.82" already and detects the problem: Syntax Error: Document stream is empty On a quick glance I could not see this may result in !isOk() but also "err" not set correctly. If error should be in libpoppler, then this is the relevant version: ii libpoppler82:amd64 0.71.0-6 amd64 PDF rendering library