Xpdfreader Xpdf

In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder

CVE-2024-7868 8.2 - High - August 15, 2024

In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.

Use of Uninitialized Resource

In Xpdf 4.05 (and earlier)

CVE-2024-7866 5.5 - Medium - August 15, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in a pattern resource leads to infinite recursion and a stack overflow.

Stack Exhaustion

In Xpdf 4.05 (and earlier), very large coordinates in a page box

CVE-2024-7867 6.2 - Medium - August 15, 2024

In Xpdf 4.05 (and earlier), very large coordinates in a page box can cause an integer overflow and divide-by-zero.

Divide By Zero

Out-of-bounds array write in Xpdf 4.05 and earlier

CVE-2024-4976 5.5 - Medium - May 15, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, due to missing object type check in AcroForm field reference.

Memory Corruption

In Xpdf 4.05 (and earlier)

CVE-2024-4568 5.5 - Medium - May 06, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources leads to infinite recursion and a stack overflow.

Stack Exhaustion

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid character code in a Type 1 font

CVE-2024-4141 5.5 - Medium - April 24, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid character code in a Type 1 font. The root problem was a bounds check that was being optimized away by modern compilers.

Memory Corruption

Out-of-bounds array write in Xpdf 4.05 and earlier

CVE-2024-3900 5.5 - Medium - April 17, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long Unicode sequence in ActualText.

Memory Corruption

In Xpdf 4.05 (and earlier)

CVE-2024-3247 5.5 - Medium - April 02, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads to infinite recursion and a stack overflow.

Stack Exhaustion

In Xpdf 4.05 (and earlier)

CVE-2024-3248 5.5 - Medium - April 02, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads to infinite recursion and a stack overflow.

Stack Exhaustion

Out-of-bounds array write in Xpdf 4.05 and earlier

CVE-2024-2971 5.5 - Medium - March 26, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by negative object number in indirect reference in the input PDF file.

Memory Corruption

An infinite recursion in Catalog::findDestInTree

CVE-2022-48545 5.5 - Medium - August 22, 2023

An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.

Stack Exhaustion

Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.

CVE-2023-3436 3.3 - Low - June 27, 2023

Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.

Improper Locking

An excessively large PDF page size (found in fuzz testing, unlikely in normal PDF files)

CVE-2023-3044 3.3 - Low - June 02, 2023

An excessively large PDF page size (found in fuzz testing, unlikely in normal PDF files) can result in a divide-by-zero in Xpdf's text extraction code. This is related to CVE-2022-30524, but the problem here is caused by a very large page size, rather than by a very large character coordinate.

Divide By Zero

In Xpdf 4.04 (and earlier), a bad color space object in the input PDF file

CVE-2023-2662 5.5 - Medium - May 11, 2023

In Xpdf 4.04 (and earlier), a bad color space object in the input PDF file can cause a divide-by-zero.

Divide By Zero

 In Xpdf 4.04 (and earlier)

CVE-2023-2663 5.5 - Medium - May 11, 2023

 In Xpdf 4.04 (and earlier), a PDF object loop in the page label tree leads to infinite recursion and a stack overflow.

Stack Exhaustion

 In Xpdf 4.04 (and earlier)

CVE-2023-2664 5.5 - Medium - May 11, 2023

 In Xpdf 4.04 (and earlier), a PDF object loop in the embedded file tree leads to infinite recursion and a stack overflow.

Stack Exhaustion

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-31557 - May 10, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-2664. Reason: This record is a reservation duplicate of CVE-2023-2664. Notes: All CVE users should reference CVE-2023-2664 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-26935 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-26938 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-26937 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-26936 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-26934 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-26931 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2022-30524. Reason: This record is a duplicate of CVE-2022-30524. Notes: All CVE users should reference CVE-2022-30524 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Buffer Overflow vulnerability found in XPDF v.4.04

CVE-2023-26930 5.5 - Medium - April 26, 2023

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function. NOTE: Vendor states it's an expected abort on out-of-memory error.

Classic Buffer Overflow

** REJECT ** DO NOT USE THIS CVE RECORD

CVE-2023-27655 - March 23, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Stack overflow vulnerability in function Dict::find in xpdf/Dict.cc in xpdf 4.04

CVE-2022-45586 5.5 - Medium - February 15, 2023

Stack overflow vulnerability in function Dict::find in xpdf/Dict.cc in xpdf 4.04, allows local attackers to cause a denial of service.

Memory Corruption

Stack overflow vulnerability in function gmalloc in goo/gmem.cc in xpdf 4.04

CVE-2022-45587 5.5 - Medium - February 15, 2023

Stack overflow vulnerability in function gmalloc in goo/gmem.cc in xpdf 4.04, allows local attackers to cause a denial of service.

Memory Corruption

Buffer Overflow vulnerability in pdfimages in xpdf 4.03

CVE-2021-36493 7.5 - High - February 03, 2023

Buffer Overflow vulnerability in pdfimages in xpdf 4.03 allows attackers to crash the application via crafted command.

Memory Corruption

A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04

CVE-2022-43071 5.5 - Medium - November 15, 2022

A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

Memory Corruption

XPDF v4.04 was discovered to contain a stack overflow

CVE-2022-43295 5.5 - Medium - November 14, 2022

XPDF v4.04 was discovered to contain a stack overflow via the function FileStream::copy() at xpdf/Stream.cc:795.

Memory Corruption

An issue was discovered in Xpdf 4.04

CVE-2022-41842 5.5 - Medium - September 30, 2022

An issue was discovered in Xpdf 4.04. There is a crash in gfseek(_IO_FILE*, long, int) in goo/gfile.cc.

Memory Corruption

An issue was discovered in Xpdf 4.04

CVE-2022-41844 5.5 - Medium - September 30, 2022

An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int, int, Object*, int) in xpdf/XRef.cc, a different vulnerability than CVE-2018-16369 and CVE-2019-16088.

Memory Corruption

An issue was discovered in Xpdf 4.04

CVE-2022-41843 5.5 - Medium - September 30, 2022

An issue was discovered in Xpdf 4.04. There is a crash in convertToType0 in fofi/FoFiType1C.cc, a different vulnerability than CVE-2022-38928.

NULL Pointer Dereference

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04

CVE-2022-38222 7.8 - High - September 29, 2022

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

Dangling pointer

XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.

CVE-2022-38928 7.8 - High - September 21, 2022

XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.

NULL Pointer Dereference

XPDF v4.04 and earlier was discovered to contain a stack overflow

CVE-2022-38334 5.5 - Medium - September 15, 2022

XPDF v4.04 and earlier was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.

Stack Exhaustion

XPDF v4.0.4 was discovered to contain a segmentation violation

CVE-2022-36561 5.5 - Medium - August 30, 2022

XPDF v4.0.4 was discovered to contain a segmentation violation via the component /xpdf/AcroForm.cc:538.

Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc)

CVE-2022-38171 7.8 - High - August 22, 2022

Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).

Integer Overflow or Wraparound

XPDF v4.04 was discovered to contain a stack overflow vulnerability

CVE-2022-33108 7.8 - High - June 28, 2022

XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files.

Memory Corruption

There is a Null Pointer Dereference vulnerability in the XFAS

CVE-2021-27548 5.5 - Medium - May 18, 2022

There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.

NULL Pointer Dereference

xpdf 4.04 allocates excessive memory when presented with crafted input

CVE-2022-30775 5.5 - Medium - May 16, 2022

xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.

Allocation of Resources Without Limits or Throttling

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4

CVE-2022-30524 7.8 - High - May 09, 2022

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Memory Corruption

xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc

CVE-2022-27135 5.5 - Medium - April 25, 2022

xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. An attacker can exploit this bug to cause a Denial of Service (Segmentation fault) or other unspecified effects by sending a crafted PDF file to the pdftoppm binary.

Memory Corruption

An integer overflow was addressed with improved input validation

CVE-2021-30860 7.8 - High - August 24, 2021

An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Integer Overflow or Wraparound

Xpdf 4.02 allows stack consumption

CVE-2020-35376 7.5 - High - December 26, 2020

Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function.

Memory Corruption

In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`

CVE-2020-25725 5.5 - Medium - November 21, 2020

In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font.

Dangling pointer

An issue was discovered in Xpdf 4.01.01

CVE-2019-10022 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is a NULL pointer dereference in the function Gfx::opSetExtGState in Gfx.cc.

NULL Pointer Dereference

An issue was discovered in Xpdf 4.01.01

CVE-2019-10018 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case.

Divide By Zero

An issue was discovered in Xpdf 4.01.01

CVE-2019-10019 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PSOutputDev::checkPageSlice at PSOutputDev.cc for nStripes.

Divide By Zero

An issue was discovered in Xpdf 4.01.01

CVE-2019-10020 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function Splash::scaleImageYuXu at Splash.cc for x Bresenham parameters.

Divide By Zero