Didier Stevens

Monday 2 November 2009

CVE-2009-2979 Or The XML-Bombed PDF

Filed under: PDF,Vulnerabilities — Didier Stevens @ 7:15

The Extensible Metadata Platform is an Adobe standard to represent metadata with XML.

More than a year ago, I added an XML-bomb to XMP-data inside a PDF document:


As this made Adobe Reader 8 & 9 crash, I reported it to Adobe. It has been fixed with the last patch cycle.

Why do I disclose the details of this vulnerability? Because XMP is not only intended to be used in PDF documents, but many other file formats. So be sure to check your software for this vulnerability.

Blog at WordPress.com.