poppler: integer overflow in JPXStream::init function leading to memory consumption (CVE-2019-9959)
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
Fixed In Version:
poppler 0.79
References:
- https://gitlab.freedesktop.org/poppler/poppler/blob/master/NEWS
- https://nvd.nist.gov/vuln/detail/CVE-2019-9959
- https://gitlab.freedesktop.org/poppler/poppler/issues/805
Patch:
https://gitlab.freedesktop.org/poppler/poppler/commit/68ef84e5968a4249c2162b839ca6d7975048a557
Affected branches:
-
master -
3.10-stable -
3.9-stable -
3.8-stable -
3.7-stable