[Poppler-bugs] [Bug 101523] New: NULL pointer dereference in GooString.cc:867

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jun 20 16:53:38 UTC 2017


https://bugs.freedesktop.org/show_bug.cgi?id=101523

            Bug ID: 101523
           Summary: NULL pointer dereference in GooString.cc:867
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 132093
  --> https://bugs.freedesktop.org/attachment.cgi?id=132093&action=edit
Proof of concept

There is a NULL dereference parsing the attached PoC.pdf.

The NULL dereference happens in GooString.cc:867
863     int GooString::cmp(const char *sA) const {
864       int n1, i, x;
865       const char *p1, *p2;
866     
867       n1 = length;

"this" is NULL so this->n1 at 867 generates the SIGSEGV. The reason this is
null is because the previous function GfxCIDFont::getCodeToGIDMap in
GfxFont.cc:2375 calls a method of a NULL object:

2373      *mapsizep = 0;
2374      if (!ctu) return NULL;
2375      if (getCollection()->cmp("Adobe-Identity") == 0) return NULL;
2376      if (getEmbeddedFontID(&embID)) {


Parsing the PoC.pdf getCollection() returns NULL but the method cmp is called.

The solution should be check for the return value before call cmp:
2375      if (getCollection() == NULL || getCollection()->cmp("Adobe-Identity")
== 0) return NULL;

PoC attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170620/ab1f8e5d/attachment.html>


More information about the Poppler-bugs mailing list