[Poppler-bugs] [Bug 101505] New: NULL pointer dereference in GooString.h:121

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Jun 19 19:50:11 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101505

            Bug ID: 101505
           Summary: NULL pointer dereference in GooString.h:121
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 132070
  --> https://bugs.freedesktop.org/attachment.cgi?id=132070&action=edit
Proof of concept

There is a NULL pointer dereference. 

The SIGSEGV happens in GooString.h:121:
121       char *getCString() { return s; }

But the problem comes from GfxFont.cc:826:
825       //----- CID font substitution
826       if ((path = globalParams->findCCFontFile(
827                                     ((GfxCIDFont
*)this)->getCollection()))) {
828         if ((fontLoc = getExternalFont(path, gTrue))) {

((GfxCIDFont *)this)->getCollection()) return NULL, and this is not checked in
this function or in any of the following functions until the NULL dereference
happens at getCString:
#0  0x000000000040b480 in GooString::getCString (this=0x0) at
../goo/GooString.h:121
#1  0x00000000004a67c9 in GooHash::hash (this=0x7fc350, key=0x0) at
GooHash.cc:369
#2  0x00000000004a66b5 in GooHash::find (this=0x7fc350, key=0x0,
h=0x7fffffffd414) at GooHash.cc:342
#3  0x00000000004a5e21 in GooHash::lookup (this=0x7fc350, key=0x0) at
GooHash.cc:136

A possible solution is to verify that the returned value of getCollection is !=
NULL:
826       if (((GfxCIDFont *)this)->getCollection() != NULL && (path =
globalParams->findCCFontFile(
827                                     ((GfxCIDFont
*)this)->getCollection()))) {

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170619/0e484c93/attachment.html>

More information about the Poppler-bugs mailing list