[Poppler-bugs] [Bug 101523] New: NULL pointer dereference in GooString.cc:867
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Jun 20 16:53:38 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=101523
Bug ID: 101523
Summary: NULL pointer dereference in GooString.cc:867
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: foca at salesforce.com
Created attachment 132093
--> https://bugs.freedesktop.org/attachment.cgi?id=132093&action=edit
Proof of concept
There is a NULL dereference parsing the attached PoC.pdf.
The NULL dereference happens in GooString.cc:867
863 int GooString::cmp(const char *sA) const {
864 int n1, i, x;
865 const char *p1, *p2;
866
867 n1 = length;
"this" is NULL so this->n1 at 867 generates the SIGSEGV. The reason this is
null is because the previous function GfxCIDFont::getCodeToGIDMap in
GfxFont.cc:2375 calls a method of a NULL object:
2373 *mapsizep = 0;
2374 if (!ctu) return NULL;
2375 if (getCollection()->cmp("Adobe-Identity") == 0) return NULL;
2376 if (getEmbeddedFontID(&embID)) {
Parsing the PoC.pdf getCollection() returns NULL but the method cmp is called.
The solution should be check for the return value before call cmp:
2375 if (getCollection() == NULL || getCollection()->cmp("Adobe-Identity")
== 0) return NULL;
PoC attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170620/ab1f8e5d/attachment.html>
More information about the Poppler-bugs
mailing list