2019-07-22 14:18:19
mitre
PUBLISHED
The JPXStream::init function in Poppler 0.78.0 and earlier doesnt check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.