XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.
https://usn.ubuntu.com/3865-1/
https://lists.debian.org/debian-lts-announce/2020/07/msg00018.html
https://lists.debian.org/debian-lts-announce/2019/03/msg00008.html
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143
https://gitlab.freedesktop.org/poppler/poppler/issues/692
https://access.redhat.com/errata/RHSA-2019:2713