[Poppler-bugs] [Bug 101524] New: NULL pointer dereference at JBIG2Stream.cc:1316
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Jun 20 17:02:01 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=101524
Bug ID: 101524
Summary: NULL pointer dereference at JBIG2Stream.cc:1316
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: foca at salesforce.com
Created attachment 132094
--> https://bugs.freedesktop.org/attachment.cgi?id=132094&action=edit
Proof of concept
There is a NULL pointer dereference in JBIG2Stream.cc:1316:
1311 n = (int)(dataEnd - dataPtr);
1312 } else {
1313 n = nChars;
1314 }
1315 for (i = 0; i < n; ++i) {
1316 buffer[i] = *dataPtr++ ^ 0xff; //NULL dereference
1317 }
1318 return n;
1319 }
dataPtr is NULL. dataPtr is set at:
1235 void JBIG2Stream::reset() {
....
1258 if (pageBitmap) {
1259 dataPtr = pageBitmap->getDataPtr();
1260 dataEnd = dataPtr + pageBitmap->getDataSize();
1261 } else {
But in some scenarios pageBitmap->getDataPtr() returns NULL. And there is no
check to deal with that case.
A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170620/e46c084a/attachment.html>
More information about the Poppler-bugs
mailing list