[Poppler-bugs] [Bug 101429] New: No validation of returned value leads to null dereference at Annot.cc:5404

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jun 14 21:39:24 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101429

            Bug ID: 101429
           Summary: No validation of returned value leads to null
                    dereference at Annot.cc:5404
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 131960
  --> https://bugs.freedesktop.org/attachment.cgi?id=131960&action=edit
Proof of concept

No validation of returned value leads to null dereference. The vulnerability is
at 'Annot.cc:5404' in the function 'AnnotScreen::initialize'
Annot.cc
5403     action = LinkAction::parseAction(&obj1,
doc->getCatalog()->getBaseURI());
5404     if (action->getKind() == actionRendition && page == 0) {
5405       error (errSyntaxError, -1, "Invalid Rendition action: associated
screen annotation without P");
5406       delete action;
5407       action = NULL;
5408       ok = gFalse;
5409     }

In 5403 action gets a NULL value when it should be a LinkJavaScript object,
however the getKind method is called in 5404 without checking if action is
valid (!= NULL).

Prior to where the crash occurs, action is assigned a value:

5403        action = LinkAction::parseAction(&obj1,
doc->getCatalog()->getBaseURI());

The line above calls the parseAction function with the object1 and a base URI
that contains '0x7fffffffded0: "\020\337\377\377\377\177"' as baseURI which is
not valid and so null is returned for action as shown below:

Link.cc
133   // action is missing or wrong type
134   } else {
135     error(errSyntaxWarning, -1, "parseAction: Unknown annotation action
object: URI = '{0:s}'",
136           baseURI ? baseURI->getCString() : "NULL");
137     action = NULL;
138   }

This could be fixed just checking for action != NULL after Annot.cc:5403

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170614/072fd7ab/attachment.html>

More information about the Poppler-bugs mailing list