[Poppler-bugs] [Bug 101430] New: Null dereference due to not checking return value of cairo_image_surface_get_data

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jun 14 22:06:25 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101430

            Bug ID: 101430
           Summary: Null dereference due to not checking return value of
                    cairo_image_surface_get_data
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: cairo backend
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 131961
  --> https://bugs.freedesktop.org/attachment.cgi?id=131961&action=edit
Proof of concept

There is a Null dereference bug due to not checking return value of a parsing
function 'cairo_image_surface_get_data'. 

The function 'cairo_image_surface_get_data(source)' is supposed to return a
pointer to the data of the image surface but it returns NULL if surface is not
an image surface. Program should not continue as there is no image surface, but
it does.

Function gets called and the pointer (in this case NULL) gets stored in
source_data CairoOutputDev.cc:1831:

1830     /* convert to a luminocity map */
1831     uint32_t *source_data =
(uint32_t*)cairo_image_surface_get_data(source);
1832     /* get stride in units of 32 bits */
1833     int stride = cairo_image_surface_get_stride(source)/4;
1834     for (int y=0; y<height; y++) {
1835       for (int x=0; x<width; x++) {
1836         int lum = alpha ? fill_opacity : luminocity(source_data[y*stride +
x]);

When Alpha is false, which in this situation it is, luminocity is called with
the location of source_data[0] at CairoOutputDev.cc:1836 (As x=0 and y=0 on the
first run of the loop).

To fix this bug the code should check after line 1831 for source_data != NULL.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170614/99e4fb75/attachment.html>

More information about the Poppler-bugs mailing list