[Poppler-bugs] [Bug 101524] New: NULL pointer dereference at JBIG2Stream.cc:1316

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jun 20 17:02:01 UTC 2017


https://bugs.freedesktop.org/show_bug.cgi?id=101524

            Bug ID: 101524
           Summary: NULL pointer dereference at JBIG2Stream.cc:1316
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 132094
  --> https://bugs.freedesktop.org/attachment.cgi?id=132094&action=edit
Proof of concept

There is a NULL pointer dereference in JBIG2Stream.cc:1316:

1311        n = (int)(dataEnd - dataPtr);
1312      } else {
1313        n = nChars;
1314      }
1315      for (i = 0; i < n; ++i) {
1316        buffer[i] = *dataPtr++ ^ 0xff;  //NULL dereference
1317      }
1318      return n;
1319    }

dataPtr is NULL. dataPtr is set at:

1235 void JBIG2Stream::reset() {
....
1258   if (pageBitmap) {
1259     dataPtr = pageBitmap->getDataPtr();
1260     dataEnd = dataPtr + pageBitmap->getDataSize();
1261   } else {

But in some scenarios pageBitmap->getDataPtr() returns NULL. And there is no
check to deal with that case.

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170620/e46c084a/attachment.html>


More information about the Poppler-bugs mailing list