|
|
|
|
| |
Credit:
The information has been provided by Chris Rohlf and Will Drewry.
The original article can be found at: http://www.ocert.org/advisories/ocert-2009-016.html
|
| |
Vulnerable Systems:
* Poppler version 0.12.0 and prior
* Xpdf version 3.02pl3 and prior
Immune Systems:
* Poppler version 0.12.1
Xpdf version 3.02pl4
If an application using this code is multi-threaded (or uses a crash signal handler), it may be possible to execute arbitrary code.
The vulnerability resides in the object stream handler. In particular, a multiplicative overflow occurs when a large number of embedded objects are specified. An overflow check was in place in the code, but it only protected related calls to gmalloc(). The C++ object array allocation code (new[]) is not guarded by the upper bound check and the call to new[] does not result in an exception with gcc. This results in bytes being written after the valid heap allocation during object construction.
Both software packages have released fixed versions which limit the allowed object count to a domain specific value.
CVE Information:
CVE-2009-3608
Disclosure Timeline:
2009-09-04: vulnerability report received
2009-09-17: proof of concept received from reporter
2009-10-14: fixed Xpdf released
2009-10-18: fixed Poppler released
2009-10-21: advisory published
|
|
|
|
|
