CVE-2018-14946
Description
An issue has been found in PDF2JSON 0.69. The HtmlString class in ImgOutputDev.cc has Mismatched Memory Management Routines (malloc versus operator delete).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PDF2JSON 0.69 has a memory management mismatch in HtmlString, allowing potential memory corruption via crafted PDF files.
Vulnerability
PDF2JSON version 0.69 contains a memory management mismatch in the HtmlString class within ImgOutputDev.cc [1][2]. Memory allocated with malloc is freed using operator delete, violating the C++ standard and leading to undefined behavior.
Exploitation
An attacker can trigger the vulnerability by providing a specially crafted PDF file to PDF2JSON, causing the ~HtmlString destructor to be called during HtmlPage::coalesce() and ImgOutputDev::endPage(). The ASAN report confirms the mismatch occurs when processing the crafted PDF [1][2].
Impact
Successful exploitation could result in memory corruption, potentially leading to denial of service or, in some cases, arbitrary code execution. The exact impact depends on the heap layout and the attacker's ability to control the freed memory.
Mitigation
As of the available references, no official fix has been released for PDF2JSON 0.69. Users should consider using an alternative tool or apply manual patches to ensure consistent memory management (e.g., using new instead of malloc for objects of class HtmlString). The project appears to be unmaintained [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/flexpaper/pdf2json/issues/19mitrex_refsource_MISC
- github.com/fouzhe/security/tree/master/pdf2jsonmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.