[Poppler-bugs] [Bug 27366] New: NULL pointer dereference

Mon Mar 29 14:07:54 PDT 2010

http://bugs.freedesktop.org/show_bug.cgi?id=27366

           Summary: NULL pointer dereference
           Product: poppler
           Version: unspecified
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: cairo backend
        AssignedTo: poppler-bugs at lists.freedesktop.org
        ReportedBy: kees at outflux.net

Forwarded from Dan Rosenberg, in https://launchpad.net/bugs/538772

When processing a malformed PDF, libpoppler segfaults by dereferencing an
uninitialized pointer, in the function CairoOutputDev::restoreState(), in
poppler-0.12.0/poppler/CairoOutputDev.cc. The attached reproducer (please keep
private) crashes Evince (v2.28.1), using libpoppler, on my Karmic machine by
causing restoreState() to be called when maskStack is uninitialized, leading to
an invalid dereference at:

  mask = ms->mask;

Given that there is a call to:

  delete ms;

a few lines down without checking that ms has been initialized, this may be a
potential security issue. In the worst case, this may lead to memory corruption
leading to code execution by tricking a user into opening a malformed PDF, but
I am not familiar enough with the code to actually show that this is possible.
In fact, I'm not even sure this is a security issue at all, but I figured it
was better to be safe than sorry.

-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.