[Poppler-bugs] [Bug 101153] New: [pdfunite] crash when parsing a crafted pdf due to null pointer deference in ~/utils/pdfunite.cc:276

Tue May 23 10:39:49 UTC 2017

https://bugs.freedesktop.org/show_bug.cgi?id=101153

            Bug ID: 101153
           Summary: [pdfunite] crash when parsing a crafted pdf due to
                    null pointer deference in ~/utils/pdfunite.cc:276
           Product: poppler
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: medium
         Component: utils
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: pengjiaqi at iie.ac.cn

## Summary
pdfunite util in poppler-0.55.0 will crash when parsing a crafted pdf file due
to null pointer deference in main()@~/utils/pdfunite.cc:276
ps: this issue is similar to
https://bugs.freedesktop.org/show_bug.cgi?id=101149, but crashes in different
location and needs a different patch.

## Reprocude
openstack at openstack-virtual-machine:~/pjq/poppler-0.55.0/build-gcc/utils$
./pdfunite null_pointer_deference_poc_276.pdf 1.pdf
Internal Error: xref num 17 not found but needed, try to reconstruct<0a>
Syntax Error: Kid object (page 1) is wrong type (null)
Segmentation fault

## Crash Stack
Program received signal SIGSEGV, Segmentation fault.
0x000000000041acbb in main (argc=3, argv=<optimized out>) at
../../utils/pdfunite.cc:276
276           docs[0]->markPageObjects(ocObj.getDict(), yRef, countRef, 0,
refPage->num, refPage->num);
(gdb) bt
#0  0x000000000041acbb in main (argc=3, argv=<optimized out>) at
../../utils/pdfunite.cc:276

## Analysis
in ~/utils/pdfunite.cc:276
270     Ref *refPage = docs[0]->getCatalog()->getPageRef(1);
271     if (!afObj.isNull()) {
272       docs[0]->markAcroForm(&afObj, yRef, countRef, 0, refPage->num,
refPage->num);
273     }
274     catDict->lookupNF("OCProperties", &ocObj);
275     if (!ocObj.isNull() && ocObj.isDict()) {
276       docs[0]->markPageObjects(ocObj.getDict(), yRef, countRef, 0,
refPage->num, refPage->num);
277     }

(gdb) p refPage
$1 = (Ref *) 0x0

Here, the last two arguments of markPageObjects() are both refPage->num;
but refPage=0, causing null pointer deference.

refPage comes from line 270 by docs[0]->getCatalog()->getPageRef(1);
but function Catalog::getPageRef() may return NULL (as below):

in ~/poppler/Catalog.cc:257
 249 Ref *Catalog::getPageRef(int i)
 250 {
 251   if (i < 1) return NULL;
 252 
 253   catalogLocker();
 254   if (i > lastCachedPage) {
 255      GBool cached = cachePageTree(i);
 256      if ( cached == gFalse) {
 257        return NULL;
 258      }
 259   }
 260   return &pageRefs[i-1];
 261 }

## Patch
In ~/utils/pdfunite.cc, before refPage->num, first check the value refPage in
line270 is zero or not.

## Author
name: Jiaqi Peng
email: pjqruc at gmail.com (if you need poc, contact me via email)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170523/f4b74be6/attachment.html>