[Poppler-bugs] [Bug 101149] New: [pdfunite] crash when parsing a crafted pdf due to null pointer deference

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue May 23 03:57:40 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101149

            Bug ID: 101149
           Summary: [pdfunite] crash when parsing a crafted pdf due to
                    null pointer deference
           Product: poppler
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: utils
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: pengjiaqi at iie.ac.cn

## Summary
pdfunite util in poppler-0.55.0 will crash when parsing a crafted pdf file due
to null pointer deference in main()@~/utils/pdfunite.cc:357


## Reprocude
openstack at openstack-virtual-machine:~/pjq/poppler-0.55.0/build-gcc/utils$
./pdfunite null_pointer_deference_poc.pdf 1.pdf
Syntax Error (224): Dictionary key must be a name object
Syntax Error (226): Dictionary key must be a name object
Syntax Error (230): Dictionary key must be a name object
Syntax Error (232): Dictionary key must be a name object
Syntax Error (241): Dictionary key must be a name object
Syntax Error: Kid object (page 1) is wrong type (stream)
Segmentation fault


## Crash Stack
Program received signal SIGSEGV, Segmentation fault.
main (argc=3, argv=<optimized out>) at ../../poppler/Page.h:156
156       GBool isCropped() { return attrs->isCropped(); }
(gdb) bt
#0  main (argc=3, argv=<optimized out>) at ../../poppler/Page.h:156


## Analysis
in ~/utils/pdfunite.cc:357
354   for (i = 0; i < (int) docs.size(); i++) {
355     for (j = 1; j <= docs[i]->getNumPages(); j++) {
356       PDFRectangle *cropBox = NULL;
357       if (docs[i]->getCatalog()->getPage(j)->isCropped())

Here, the value of "docs[i]->getCatalog()->getPage(j)" is zero, then
isCropped() will deference a null pointer, which causes crash.


in ~/poppler/Catalog.cc:243
 235 Page *Catalog::getPage(int i)
 236 {
 237   if (i < 1) return NULL;
 238 
 239   catalogLocker();
 240   if (i > lastCachedPage) {
 241      GBool cached = cachePageTree(i);
 242      if ( cached == gFalse) {
 243        return NULL;
 244      }
 245   }
 246   return pages[i-1];
 247 }
Here, Catalog.cc:getPage() will return NULL in line 243, which causes the
address to deference above to be zero.


## Patch
In ~/utils/pdfunite.cc:357, before calling isCropped(), first check the return
value of getPage(j) is zero or not.


## Author
name: Jiaqi Peng
email: pjqruc at gmail.com (if you need poc, contact me via email)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170523/118a28ee/attachment.html>

More information about the Poppler-bugs mailing list