[Poppler-bugs] [Bug 101430] New: Null dereference due to not checking return value of cairo_image_surface_get_data
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Jun 14 22:06:25 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=101430
Bug ID: 101430
Summary: Null dereference due to not checking return value of
cairo_image_surface_get_data
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: cairo backend
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: foca at salesforce.com
Created attachment 131961
--> https://bugs.freedesktop.org/attachment.cgi?id=131961&action=edit
Proof of concept
There is a Null dereference bug due to not checking return value of a parsing
function 'cairo_image_surface_get_data'.
The function 'cairo_image_surface_get_data(source)' is supposed to return a
pointer to the data of the image surface but it returns NULL if surface is not
an image surface. Program should not continue as there is no image surface, but
it does.
Function gets called and the pointer (in this case NULL) gets stored in
source_data CairoOutputDev.cc:1831:
1830 /* convert to a luminocity map */
1831 uint32_t *source_data =
(uint32_t*)cairo_image_surface_get_data(source);
1832 /* get stride in units of 32 bits */
1833 int stride = cairo_image_surface_get_stride(source)/4;
1834 for (int y=0; y<height; y++) {
1835 for (int x=0; x<width; x++) {
1836 int lum = alpha ? fill_opacity : luminocity(source_data[y*stride +
x]);
When Alpha is false, which in this situation it is, luminocity is called with
the location of source_data[0] at CairoOutputDev.cc:1836 (As x=0 and y=0 on the
first run of the loop).
To fix this bug the code should check after line 1831 for source_data != NULL.
PoC is attached.
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170614/99e4fb75/attachment.html>
More information about the Poppler-bugs
mailing list