CVE-2020-19475

Vulnerability

The issue is in the CCITTFaxStream::lookChar function of PDF2JSON version 0.70 (commit b671b64). An attacker can trigger an invalid write of size 2 to heap memory by providing a specially crafted PDF file. This occurs during the parsing of CCITT fax-encoded image streams [1].

Exploitation

An attacker needs only to deliver a malformed PDF file that triggers the vulnerable code path. When PDF2JSON processes the file (e.g., via pdf2json $PoC /dev/null), the call chain from Page::display through Gfx::display, Parser::getObj, Lexer::getChar, and Object::streamGetChar reaches CCITTFaxStream::getChar, which calls lookChar. The function then performs an invalid write of size 2, as reproduced with Valgrind [1]. No special authentication or network position beyond file delivery is required.

Impact

Successful exploitation causes a segmentation fault (SEGV) and denial of service. The crash occurs due to writing to an invalid heap address, likely corrupting memory and terminating the application. No code execution or data exfiltration is described in the available references [1].

Mitigation

As of the latest published information, no official patch has been released. The issue is tracked on GitHub [1], and users should monitor the project for updates. Until a fix is available, avoid processing untrusted PDF files with PDF2JSON 0.70.