Poppler Integer Overflow Vulnerability in Splash Backend Leading to Heap Buffer Overflow

A heap-based memory corruption vulnerability has been identified in Poppler's Splash backend. This flaw arises from an integer overflow in the 'tilingPatternFill' function, which can be exploited by a remote attacker. When a maliciously crafted PDF file is processed, the overflow causes an undersized heap memory allocation, allowing for an out-of-bounds write. Such exploitation could lead to arbitrary code execution, unauthorized information disclosure, or a denial-of-service condition in the application handling the PDF.

Impact

Exploitation of this vulnerability causes an integer overflow that leads to a heap buffer overflow, allowing for memory corruption. This could be exploited to execute arbitrary code, cause a denial-of-service by crashing the application or consuming excessive resources, or bypass certain application-level security mechanisms.

Reproduction

The vulnerability can be reproduced by using the 'pdftoppm' command-line tool to convert a PDF file that has been crafted to trigger the integer overflow. The 'reproducer-oob.pdf' file, which is available as part of the vulnerability report, can be used to demonstrate the issue. When this PDF is processed with 'pdftoppm' at a high resolution, the integer overflow occurs, leading to the heap buffer overflow.

Remediation

Users are advised to avoid opening untrusted or suspicious PDF documents with applications that use the Poppler library for rendering. Red Hat has released a patch for this vulnerability in Poppler's Splash backend.