Stream.cc in Xpdf, as used in products such as gpdf, kpdf, pdftohtml,
poppler, teTeX, CUPS, libextractor, and others, allows attackers to
modify memory and possibly execute arbitrary code via a DCTDecode
stream with (1) a large "number of components" value that is not
checked by DCTStream::readBaselineSOF or
DCTStream::readProgressiveSOF, (2) a large "Huffman table index" value
that is not checked by DCTStream::readHuffmanTables, and (3) certain
uses of the scanInfo.numComps value by DCTStream::readScanInfo.
|