CVE-2024-42358

Name of the Vulnerable Software and Affected Versions PDFio versions prior to 1.3.1

Description The issue concerns a denial of service (DOS) vulnerability in the TTF parser of the PDFio library. Maliciously crafted TTF files can cause the program to utilize 100% of the memory and enter an infinite loop, potentially leading to a heap-buffer-overflow vulnerability. This occurs due to the nGroups value extracted from the file, which, when altered, can cause the program to consume excessive memory and enter an infinite loop. The read camp function is specifically affected by this issue. Automated systems, including web servers using this library to convert PDF submissions into plaintext, are vulnerable to DOS attacks if an attacker uploads a malicious TTF file.

Recommendations For versions prior to 1.3.1, upgrade to release version 1.3.1 to address the issue. As a temporary workaround, consider restricting the upload of TTF files or implementing additional validation checks on nGroups values to prevent excessive memory usage and infinite loops. Avoid using the ttf.h library until the issue is resolved.