Poppler pdfseparate Utility Infinite Recursion Vulnerability

漏洞信息

漏洞名称: Poppler pdfseparate Utility Infinite Recursion Vulnerability

漏洞编号:

  • CVE: CVE-2025-50420

漏洞类型: 缓冲区溢出

漏洞等级: 高危

漏洞描述: Poppler是一个开源的PDF渲染库,广泛用于处理PDF文件的渲染和操作。它是许多PDF查看器和工具的后端,如Evince、Okular等,因此在多种操作系统和应用中都有广泛部署。此次漏洞影响的是Poppler库中的pdfseparate工具,该工具用于从PDF文件中提取页面。

漏洞存在于pdfseparate工具的PDFDoc处理逻辑中,具体来说,当处理包含自引用或相互引用的’/Annots’字典的恶意PDF文件时,会导致无限递归。这是由于在标记注释和页面对象时,循环检测机制使用了每次获取时不同的字典指针地址,从而无法正确检测到循环引用。攻击者可以通过构造特定的PDF文件,利用此漏洞导致应用程序挂起或崩溃,实现拒绝服务攻击。

此漏洞的影响较为严重,因为它允许远程攻击者通过诱骗用户打开或处理恶意PDF文件,无需任何形式的身份验证即可触发漏洞。由于Poppler库的广泛应用,此漏洞可能影响大量依赖Poppler进行PDF处理的应用程序和服务。攻击者可以利用此漏洞进行拒绝服务攻击,影响服务的可用性。此外,由于漏洞的触发不需要用户交互以外的任何条件,因此其利用门槛较低,潜在的攻击面较广。

产品厂商: Poppler

产品名称: Poppler

影响版本: version < 25.07.0

来源: https://github.com/Landw-hub/CVE-2025-50420

类型: CVE-2025:github search

仓库文件

  • poppler-pdfseparate-poc
  • readme.md

来源概述

Poppler before version 25.07.0 contains a vulnerability in its pdfseparate utility’s PDFDoc processing logic: crafted “/Annots” dictionaries that reference themselves or each other lead to infinite recursion in “PDFDoc::markAnnotations –> PDFDoc::markPageObjects –> PDFDoc::markObject –> PDFDoc::markDictionary”, because loop detection uses dictionary pointer addresses which differ on each fetch(). A remote attacker can cause a denial-of-service (application hang or crash) by processing a malicious PDF.

Here i craft a malicious PDF(poppler-pdfseparate-poc) where “/Annots” resolves to a self-referencing or mutually referencing dictionary, causing Poppler’s markAnnotations –> markPageObjects –> markObject –> markDictionary recursion to never detect the loop and thus exhaust the call stack (infinite recursion). Exploitation requires only opening or processing the PDF (e.g., via pdfseparate).

The specific process is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
afl_env(base) user@ubuntu:~/zgd/AFLProject/pdf_parsers/poppler-25.04.0/build/utils$ ./pdfseparate ./../../../../pdf_fuzz/p
oppler-master/pdfseparate/analyze_crashes/only_custom/all_crashes/poppler-pdfseparate-poc /dev/null
Segmentation fault (core dumped)

afl_env(base) user@ubuntu:~/zgd/AFLProject/pdf_parsers/poppler-25.04.0/build/utils$ gdb ./pdfseparate core.2332378 
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./pdfseparate...
[New LWP 2332378]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
--Type <RET> for more, q to quit, c to continue without paging--
Core was generated by `./pdfseparate ./../../../../pdf_fuzz/poppler-master/pdfseparate/analyze_crashes'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007a27410a3dee in _int_malloc (av=av@entry=0x7a274121ac80 <main_arena>, bytes=bytes@entry=40)
    at ./malloc/malloc.c:3903
3903    ./malloc/malloc.c: No such file or directory.
(gdb) bt
#0  0x00007a27410a3dee in _int_malloc (av=av@entry=0x7a274121ac80 <main_arena>, bytes=bytes@entry=40)
    at ./malloc/malloc.c:3903
#1  0x00007a27410a5262 in __GI___libc_malloc (bytes=40) at ./malloc/malloc.c:3321
#2  0x00007a27414ae98c in operator new(unsigned long) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00007a274192a080 in __gnu_cxx::new_allocator<std::_Rb_tree_node<int> >::allocate (this=0x5c29c1b2a498, __n=1)
    at /usr/include/c++/11/ext/new_allocator.h:127
#4  0x00007a2741929c8f in std::allocator<std::_Rb_tree_node<int> >::allocate (__n=1, this=0x5c29c1b2a498)
    at /usr/include/c++/11/bits/allocator.h:185
#5  std::allocator_traits<std::allocator<std::_Rb_tree_node<int> > >::allocate (__a=..., __n=1)
    at /usr/include/c++/11/bits/alloc_traits.h:464
#6  0x00007a274192974f in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::_M_get_node
    (this=0x5c29c1b2a498) at /usr/include/c++/11/bits/stl_tree.h:561
#7  0x00007a2741973466 in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::_M_create_node<int const&> (this=0x5c29c1b2a498) at /usr/include/c++/11/bits/stl_tree.h:611
#8  0x00007a2741970c97 in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::_Alloc_node::operator()<int const&> (this=0x7ffeba55f200, __arg=@0x7ffeba55f2a0: 4) at /usr/include/c++/11/bits/stl_tree.h:529
#9  0x00007a274196ba22 in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::_M_insert_<int const&, std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::_Alloc_node> (
    this=0x5c29c1b2a498, __x=0x0, __p=0x5c29c1b2a4a0, __v=@0x7ffeba55f2a0: 4, __node_gen=...)
    at /usr/include/c++/11/bits/stl_tree.h:1784
#10 0x00007a2741963f5e in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::_M_insert_unique<int const&> (this=0x5c29c1b2a498, __v=@0x7ffeba55f2a0: 4) at /usr/include/c++/11/bits/stl_tree.h:2129
#11 0x00007a274195c4f6 in std::set<int, std::less<int>, std::allocator<int> >::insert (this=0x5c29c1b2a498, 
--Type <RET> for more, q to quit, c to continue without paging--
    __x=@0x7ffeba55f2a0: 4) at /usr/include/c++/11/bits/stl_set.h:512
#12 0x00007a2741957c6d in RefRecursionChecker::insert (this=0x5c29c1b2a498, ref=...)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/Object.h:133
#13 0x00007a2741b0e09c in XRef::fetch (this=0x5c29c1b2a370, num=4, gen=0, recursion=0, endPos=0x0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/XRef.cc:1202
#14 0x00007a2741b0dfb4 in XRef::fetch (this=0x5c29c1b2a370, ref=..., recursion=0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/XRef.cc:1190
#15 0x00007a2741a94e1d in Object::fetch (this=0x5c29c208a1c0, xref=0x5c29c1b2a370, recursion=0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/Object.cc:110
#16 0x00007a27419785d3 in Array::get (this=0x5c29c208a160, i=0, recursion=0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/Array.cc:92
#17 0x00007a2741ab0514 in PDFDoc::markAnnotations (this=0x5c29c1b2a0a0, annotsObj=0x7ffeba55f6b0, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldPageNum=3, newPageNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1856
#18 0x00007a2741aaf6b3 in PDFDoc::markDictionary (this=0x5c29c1b2a0a0, dict=0x5c29c208a100, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1716
#19 0x00007a2741aaf8d8 in PDFDoc::markObject (this=0x5c29c1b2a0a0, obj=0x7ffeba55f800, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1744
#20 0x00007a2741ab03af in PDFDoc::markPageObjects (this=0x5c29c1b2a0a0, pageDict=0x5c29c208a0a0, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1840
--Type <RET> for more, q to quit, c to continue without paging--
#21 0x00007a2741ab0827 in PDFDoc::markAnnotations (this=0x5c29c1b2a0a0, annotsObj=0x7ffeba55f9a0, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldPageNum=3, newPageNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1889
#22 0x00007a2741aaf6b3 in PDFDoc::markDictionary (this=0x5c29c1b2a0a0, dict=0x5c29c2089f10, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1716
#23 0x00007a2741aaf8d8 in PDFDoc::markObject (this=0x5c29c1b2a0a0, obj=0x7ffeba55faf0, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1744
#24 0x00007a2741ab03af in PDFDoc::markPageObjects (this=0x5c29c1b2a0a0, pageDict=0x5c29c2089eb0, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1840
#25 0x00007a2741ab0827 in PDFDoc::markAnnotations (this=0x5c29c1b2a0a0, annotsObj=0x7ffeba55fc90, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldPageNum=3, newPageNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1889
#26 0x00007a2741aaf6b3 in PDFDoc::markDictionary (this=0x5c29c1b2a0a0, dict=0x5c29c2089d20, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1716
#27 0x00007a2741aaf8d8 in PDFDoc::markObject (this=0x5c29c1b2a0a0, obj=0x7ffeba55fde0, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1744
#28 0x00007a2741ab03af in PDFDoc::markPageObjects (this=0x5c29c1b2a0a0, pageDict=0x5c29c2089cc0, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
--Type <RET> for more, q to quit, c to continue without paging--
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1840
#29 0x00007a2741ab0827 in PDFDoc::markAnnotations (this=0x5c29c1b2a0a0, annotsObj=0x7ffeba55ff80, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldPageNum=3, newPageNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1889
#30 0x00007a2741aaf6b3 in PDFDoc::markDictionary (this=0x5c29c1b2a0a0, dict=0x5c29c2089b30, xRef=0x5c29c1b2b080, 
    countRef=0x5c29c1b2b240, numOffset=0, oldRefNum=3, newRefNum=259, alreadyMarkedDicts=0x5c29c1b2c9f0)
    at /home/user/zgd/AFLProject/pdf_parsers/poppler-25.04.0/poppler/PDFDoc.cc:1716
Github Poc
#CVE-2025:github search #缓冲区溢出
Poppler pdfseparate Utility Infinite Recursion Vulnerability
http://example.com/2025/08/01/github_1410761823/
作者
lianccc
发布于
2025年8月1日
许可协议