CVE-2017-5886 describes a heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken in PdfTokenizer.cpp affecting PoDoFo 0.9.4. The vulnerability is associated with processing a crafted file and is rated HIGH by NVD (CVSS 7.8). In the supplied NVD data, the CVSS vector models the issue as requiring local access and user interaction, so defenders should treat it as a high-risk document-parsing flaw [truncated]
CVE-2017-5855 is a denial-of-service issue in PoDoFo 0.9.4’s PDF parsing path. A crafted file can trigger a NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection (PdfParser.cpp), crashing the parser. The record is rated CVSS 3.0 5.5 (medium) and is limited to availability impact.
CVE-2017-5854 is a denial-of-service vulnerability in PoDoFo 0.9.4 tied to a NULL pointer dereference in base/PdfOutputStream.cpp. The NVD record rates it medium severity and classifies the impact as availability-only. In practice, the issue is relevant anywhere PoDoFo is used to open or process untrusted PDF content, especially in workflows where a crafted file may be handled by a user or automated job.
CVE-2017-5853 affects PoDoFo 0.9.4 and is described as an integer overflow in base/PdfParser.cpp triggered by a crafted file. The public record assigns a high-severity score and indicates potential high impact on confidentiality, integrity, and availability, so any software that parses untrusted PDFs with this library should be treated as exposed until remediated.
CVE-2017-5852 is a denial-of-service issue in PoDoFo 0.9.4 where a crafted PDF can drive PoDoFo::PdfPage::GetInheritedKeyFromObject into an infinite loop. The result is availability impact only; the NVD record assigns CVSS 3.0 5.5 (MEDIUM) with a vector that indicates local access and user interaction.
