[Poppler-bugs] [Bug 28170] New: poppler: JBIG2Bitmap::getSlice NULL pointer dereference
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed May 19 02:20:50 PDT 2010
https://bugs.freedesktop.org/show_bug.cgi?id=28170
Summary: poppler: JBIG2Bitmap::getSlice NULL pointer
dereference
Product: poppler
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: general
AssignedTo: poppler-bugs at lists.freedesktop.org
ReportedBy: thoger at redhat.com
Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to
crash. It triggers a NULL pointer dereference in JBIG2Bitmap::getSlice /
JBIG2Bitmap::clearToZero.
More details copy-n-pasted from:
https://bugzilla.redhat.com/show_bug.cgi?id=580105#c16
JBIG2Bitmap::getSlice() gets called with large values in wA/hA arguments:
http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n740
It calls JBIG2Bitmap::JBIG2Bitmap():
http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n700
which contains protection against integer overflow / under-allocation of the
data[] buffer, and leaves data set to NULL if integer overflow is detected.
JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which
does memset(data, ...), resulting in NULL pointer dereference crash.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list