CESA-2004-002 - rev 1

xpdf-3.0 multiple integer overflow and integer arithmetic flaws
===============================================================

Programs affected: xpdf, gpdf and kpdf.
Severity: Compromise of account used to browse malicious PDF file.

This advisory lists code flaws discovered by inspection of the xpdf-3.0
code. Note that the GNOME and KDE PDF browsers seem to be based on xpdf.

The specific flaws exposed below are apply to xpdf-3.0; earlier versions do
not neccessarily suffer from them. However, it is very important to note that
earlier versions (and programs such as gpdf based off earlier versions) do
have serious instances of integer overflow / signedness / arithmetic problems.
It just happens that the demo PDF files were developed against xpdf-3.0.

Flaw 1. Impact: xpdf-3.0 hangs whilst consuming 100% CPU

Demo PDF: http://scary.beasts.org/misc/bad1.pdf
The code flaw is a logic error in a loop that never terminates if a large
enough integer value is present in the PDF file, at XRef.cc, line 373.


Flaw 2. Impact: xpdf-3.0 crashes due to an out-of-bounds read

Demo PDF: http://scary.beasts.org/misc/bad2.pdf
The code flaw is failure to prevent negative (or large) values in the PDF file
indexing before the start of an array, at XRef.cc, line 403.


Flaw 3. Impact: xpdf-3.0 crashes due to heap corruption caused and controlled
by a malicious PDF file (i.e. exploitable to gain control over xpdf)

Demo PDF: http://scary.beasts.org/misc/bad3.pdf
The code flaw is failure to prevent negative (or large) values in the PDF file
indexing and writing before that start and after the end of an array, at
XRef.cc, line 595 and around.
It is almost certainly exploitable to take control of xpdf.


Flaw n.
There are multiple additional instances of integer signedness, overflow and
arithmetic problems scattered throughout the xpdf code.


CESA-2004-002 - rev 1
Chris Evans
chris@scary.beasts.org

[Advertisement: I am interested in moving into a security related field
 full-time. E-mail me to discuss.]