CVE-2020-23879

## Vulnerability pdf2json version 0.71 contains a NULL pointer dereference in the ObjectStream::getObject function located in XRef.cc at line 183. The vulnerability is triggered when parsing a specially crafted PDF file that causes the function to access a NULL pointer. The issue was reported via a proof-of-concept PDF file that reproduces the crash [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a malicious PDF file to pdf2json. No authentication or special privileges are required; the victim only needs to open the crafted PDF with pdf2json. The crash occurs during the parsing process, as shown by the AddressSanitizer stack trace indicating a SEGV at ObjectStream::getObject [1][2].

Impact

Successful exploitation results in a denial of service (DoS) due to the application crash. The NULL pointer dereference leads to a segmentation fault, causing pdf2json to terminate abnormally. No code execution or data exfiltration has been demonstrated; the impact is limited to availability.

Mitigation

As of the available references, no official patch has been released for pdf2json v0.71. Users should avoid processing untrusted PDF files with this version. The project appears to be unmaintained; users may consider migrating to alternative PDF-to-JSON converters or applying input validation to prevent processing malformed PDFs.