CVE-2017-6846 - NULL pointer dereference in...

A PDF parsing, modification and creation library.

Brought to you by: domseichter

This project can now be found here.

#9 CVE-2017-6846 - NULL pointer dereference in GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace

Milestone: SVN TRUNK

Status: closed

Owner: nobody

Labels: security (37)

Updated: 2018-03-11

Created: 2018-02-24

Creator: Mattia Rizzolo

Private: No

https://security-tracker.debian.org/tracker/CVE-2017-6846
http://www.openwall.com/lists/oss-security/2017/03/02/7
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/
https://bugs.debian.org/861563

The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.

Tickets: #111
Tickets: ~~#43~~
Tickets: #45
Tickets: ~~#46~~

Discussion

Mattia Rizzolo - 2018-02-24

Dominik is speculating that this might already be covered by the fix for CVE-2017-6845. Somebody should test this out.
https://sourceforge.net/p/podofo/mailman/message/36205895/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

zyx - 2018-03-11

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

zyx - 2018-03-11

I can confirm this is fixed with revision 1892:
http://sourceforge.net/p/podofo/code/1892

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

CVE-2017-6846 - NULL pointer dereference in...

A PDF parsing, modification and creation library.

Milestone

Searches

Help

#9 CVE-2017-6846 - NULL pointer dereference in GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace

Related

Discussion