[Poppler-bugs] [Bug 101504] New: NULL dereference in GfxState.cc:6127

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Jun 19 17:57:34 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101504

            Bug ID: 101504
           Summary: NULL dereference in GfxState.cc:6127
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 132068
  --> https://bugs.freedesktop.org/attachment.cgi?id=132068&action=edit
Proof of concept

There is a NULL dereference in GfxState.cc:6127.

The function drawSoftMaskedImage calls getLine() at CairoOutputDev.cc:2710
which returns NULL, and stores that in pix. The value is than passed on to the
getGrayLine function which tries to dereference it, resulting in a null
dereference. 

2708   for (y = 0; y < maskHeight; y++) {
2709     maskDest = (unsigned char *) (maskBuffer + y * row_stride);
2710     pix = maskImgStr->getLine();
2711     maskColorMap->getGrayLine (pix, maskDest, maskWidth);
2712   }

The reason NULL is returned  by getLine due to the following
`ImageStream::getLine`

 529   if (unlikely(inputLine == NULL)) {
 530       return NULL;
 531   }

At the point inp is set to whatever pix was( pix=in), in our case pix was NULL.
On line 6127 the dereference takes place and poppler crashes trying to
dereference a NULL pointer.
6123   default:
6124     inp = in;
6125     for (j = 0; j < length; j++)
6126       for (i = 0; i < nComps; i++) {
6127         *inp = byte_lookup[*inp * nComps + i];
6128         inp++;
6129       }


A solution could be an additional check at CairoOutputDev.cc:2710 to check the
line isn't NULL:
2710     pix = maskImgStr->getLine();
2711     if (pix == NULL) continue;
2712     maskColorMap->getGrayLine (pix, maskDest, maskWidth);

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170619/4cbe4c42/attachment.html>

More information about the Poppler-bugs mailing list