Xpdfreader Xpdf

Uninit. Var in DCT Decoder of Xpdf <=4.05 Causes Segfault
CVE-2024-7868 - August 15, 2024

In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.

Use of Uninitialized Variable

Stack Overflow via Invalid PDF Pattern in Xpdf 4.05 (Pre4.05)
CVE-2024-7866 5.5 - Medium - August 15, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in a pattern resource leads to infinite recursion and a stack overflow.

Stack Exhaustion

Xpdf 4.05 Integer Overflow / Div Zero Caused by Large Page Coordinates
CVE-2024-7867 6.2 - Medium - August 15, 2024

In Xpdf 4.05 (and earlier), very large coordinates in a page box can cause an integer overflow and divide-by-zero.

Divide By Zero

Xpdf <4.05 OOB Array Write via AcroForm Field Ref
CVE-2024-4976 5.5 - Medium - May 15, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, due to missing object type check in AcroForm field reference.

Memory Corruption

Xpdf 4.05 (and earlier) PDF Object Loop Causing Stack Overflow
CVE-2024-4568 5.5 - Medium - May 06, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources leads to infinite recursion and a stack overflow.

Stack Exhaustion

OOB array write in Xpdf <4.06 via invalid Type 1 font char code
CVE-2024-4141 5.5 - Medium - April 24, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid character code in a Type 1 font. The root problem was a bounds check that was being optimized away by modern compilers.

Memory Corruption

Xpdf <=4.05: OOB array write via long Unicode in ActualText
CVE-2024-3900 5.5 - Medium - April 17, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long Unicode sequence in ActualText.

Memory Corruption

Stack Overflow via Infinite Recursion in Xpdf 4.05 PDF Object Stream
CVE-2024-3247 5.5 - Medium - April 02, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads to infinite recursion and a stack overflow.

Stack Exhaustion

Stack Overflow via PDF Object Loop in Xpdf 4.05 (Infinite Recursion)
CVE-2024-3248 5.5 - Medium - April 02, 2024

In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads to infinite recursion and a stack overflow.

Stack Exhaustion

Out-of-bounds write in Xpdf <4.05 via negative object number
CVE-2024-2971 5.5 - Medium - March 26, 2024

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by negative object number in indirect reference in the input PDF file.

Memory Corruption

xpdf 4.02 DoS via infinite recursion in Catalog::findDestInTree
CVE-2022-48545 5.5 - Medium - August 22, 2023

An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.

Stack Exhaustion

Xpdf 4.04 Deadlock in PDF Object Stream 'Length' Field
CVE-2023-3436 3.3 - Low - June 27, 2023

Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.

Improper Locking

Xpdf Text Extractor Div/Zero via Huge PDF Page
CVE-2023-3044 3.3 - Low - June 02, 2023

An excessively large PDF page size (found in fuzz testing, unlikely in normal PDF files) can result in a divide-by-zero in Xpdf's text extraction code. This is related to CVE-2022-30524, but the problem here is caused by a very large page size, rather than by a very large character coordinate.

Divide By Zero

Divide-by-zero via bad color space in Xpdf 4.04
CVE-2023-2662 5.5 - Medium - May 11, 2023

In Xpdf 4.04 (and earlier), a bad color space object in the input PDF file can cause a divide-by-zero.

Divide By Zero

Xpdf 4.04 (and earlier) PDF page label tree loop causing stack overflow
CVE-2023-2663 5.5 - Medium - May 11, 2023

 In Xpdf 4.04 (and earlier), a PDF object loop in the page label tree leads to infinite recursion and a stack overflow.

Stack Exhaustion

Stack Overflow via PDF Object Loop in Xpdf 4.04 and Earlier
CVE-2023-2664 5.5 - Medium - May 11, 2023

 In Xpdf 4.04 (and earlier), a PDF object loop in the embedded file tree leads to infinite recursion and a stack overflow.

Stack Exhaustion

CVE-2023-31557: Duplicate record, no details available
CVE-2023-31557 - May 10, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-2664. Reason: This record is a reservation duplicate of CVE-2023-2664. Notes: All CVE users should reference CVE-2023-2664 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Unknown vulnerability duplicate, see CVE-2019-9587
CVE-2023-26935 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

CVE-2023-26938: Duplicate Record of CVE-2019-9587
CVE-2023-26938 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

CVE-2023-26937: Duplicate reservation of CVE-2019-9587
CVE-2023-26937 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Duplicate CVE-2023-26936 entry pointing to CVE-2019-9587
CVE-2023-26936 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Duplicate CVE: CVE-2023-26934 Reserved; References CVE-2019-9587
CVE-2023-26934 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

CVE-2023-26931 REJECT - Duplicate CVE
CVE-2023-26931 - April 26, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2022-30524. Reason: This record is a duplicate of CVE-2022-30524. Notes: All CVE users should reference CVE-2022-30524 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

XPDF v4.04 DoS via Buffer Overflow in pdftotext.cc
CVE-2023-26930 5.5 - Medium - April 26, 2023

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function. NOTE: Vendor states it's an expected abort on out-of-memory error.

Classic Buffer Overflow

Duplicate CVE Reserved Refer to CVE-2019-9587 (Unknown Product)
CVE-2023-27655 - March 23, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2019-9587. Reason: This record is a reservation duplicate of CVE-2019-9587. Notes: All CVE users should reference CVE-2019-9587 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Stack overflow in Dict::find (xpdf 4.04) local DoS
CVE-2022-45586 5.5 - Medium - February 15, 2023

Stack overflow vulnerability in function Dict::find in xpdf/Dict.cc in xpdf 4.04, allows local attackers to cause a denial of service.

Memory Corruption

Xpdf 4.04 Stack Overflow in gmalloc Causing DoS
CVE-2022-45587 5.5 - Medium - February 15, 2023

Stack overflow vulnerability in function gmalloc in goo/gmem.cc in xpdf 4.04, allows local attackers to cause a denial of service.

Memory Corruption

xpdf 4.03 pdfimages Buf Overflow Crash
CVE-2021-36493 7.5 - High - February 03, 2023

Buffer Overflow vulnerability in pdfimages in xpdf 4.03 allows attackers to crash the application via crafted command.

Memory Corruption

DoS via stack overflow in XPDF v4.04 Catalog::readPageLabelTree2
CVE-2022-43071 5.5 - Medium - November 15, 2022

A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

Memory Corruption

XPDF v4.04 Stack Overflow via FileStream::copy()
CVE-2022-43295 5.5 - Medium - November 14, 2022

XPDF v4.04 was discovered to contain a stack overflow via the function FileStream::copy() at xpdf/Stream.cc:795.

Memory Corruption

Xpdf 4.04 Crash via gfseek(gfile.cc)
CVE-2022-41842 5.5 - Medium - September 30, 2022

An issue was discovered in Xpdf 4.04. There is a crash in gfseek(_IO_FILE*, long, int) in goo/gfile.cc.

Memory Corruption

Xpdf 4.04 XRef fetch crash (CVE-2022-41844)
CVE-2022-41844 5.5 - Medium - September 30, 2022

An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int, int, Object*, int) in xpdf/XRef.cc, a different vulnerability than CVE-2018-16369 and CVE-2019-16088.

Memory Corruption

Xpdf 4.04 FoFiType1C Crash Vulnerability
CVE-2022-41843 5.5 - Medium - September 30, 2022

An issue was discovered in Xpdf 4.04. There is a crash in convertToType0 in fofi/FoFiType1C.cc, a different vulnerability than CVE-2022-38928.

NULL Pointer Dereference

Xpdf 4.04 UAF in JBIG2Stream::close() via pdfimages
CVE-2022-38222 7.8 - High - September 29, 2022

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

Dangling pointer

XPDF 4.04 NULL_PTR Deref FoFiType1C.cc
CVE-2022-38928 7.8 - High - September 21, 2022

XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.

NULL Pointer Dereference

Xpdf 4.04 Stack Overflow via countPageTree()
CVE-2022-38334 5.5 - Medium - September 15, 2022

XPDF v4.04 and earlier was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.

Stack Exhaustion

XPDF v4.0.4 SegVio in AcroForm.cc (CVE-2022-36561)
CVE-2022-36561 5.5 - Medium - August 30, 2022

XPDF v4.0.4 was discovered to contain a segmentation violation via the component /xpdf/AcroForm.cc:538.

CVE-2022-38171: Xpdf <=4.04 JBIG2 int overflow leading to code exec
CVE-2022-38171 7.8 - High - August 22, 2022

Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).

Integer Overflow or Wraparound

XPDF v4.04 was discovered to contain a stack overflow vulnerability
CVE-2022-33108 7.8 - High - June 28, 2022

XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files.

Memory Corruption

There is a Null Pointer Dereference vulnerability in the XFAS
CVE-2021-27548 5.5 - Medium - May 18, 2022

There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.

NULL Pointer Dereference

xpdf 4.04 allocates excessive memory when presented with crafted input
CVE-2022-30775 5.5 - Medium - May 16, 2022

xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.

Allocation of Resources Without Limits or Throttling

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4
CVE-2022-30524 7.8 - High - May 09, 2022

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Memory Corruption

xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc
CVE-2022-27135 5.5 - Medium - April 25, 2022

xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. An attacker can exploit this bug to cause a Denial of Service (Segmentation fault) or other unspecified effects by sending a crafted PDF file to the pdftoppm binary.

Memory Corruption

An integer overflow was addressed with improved input validation
CVE-2021-30860 7.8 - High - August 24, 2021

An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Integer Overflow or Wraparound

Xpdf 4.02 allows stack consumption
CVE-2020-35376 7.5 - High - December 26, 2020

Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function.

Memory Corruption

In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`
CVE-2020-25725 5.5 - Medium - November 21, 2020

In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font.

Dangling pointer

An issue was discovered in Xpdf 4.01.01
CVE-2019-10022 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is a NULL pointer dereference in the function Gfx::opSetExtGState in Gfx.cc.

NULL Pointer Dereference

An issue was discovered in Xpdf 4.01.01
CVE-2019-10018 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case.

Divide By Zero

An issue was discovered in Xpdf 4.01.01
CVE-2019-10019 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PSOutputDev::checkPageSlice at PSOutputDev.cc for nStripes.

Divide By Zero

An issue was discovered in Xpdf 4.01.01
CVE-2019-10020 5.5 - Medium - March 25, 2019

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function Splash::scaleImageYuXu at Splash.cc for x Bresenham parameters.

Divide By Zero