[Poppler-bugs] [Bug 103552] Out of bounds memory read when loading zero-bytes PDF
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sat Nov 11 23:04:46 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=103552
--- Comment #4 from simon-freedesktop at exyr.org ---
There is no use case. Passing 0x1 only makes this bug visible with a segfault
but that’s not the point.
NULL probably triggers an explicit check early. Some other pointers might be
preceded by memory that happens to be valid and so reading there silently
"works", but using a -1 error code as an index still causes an out-of-bounds
memory access. I’m not good at creating exploits, but I believe this is
undefined behavior that could potentially lead to a vulnerability.
This bug is not in the glib frontend. It’s in poppler/PDFDoc.cc that the return
value of getStartXRef() is used without checking for errors. In addition to
checking there, another good change might be to assert in makeSubStream that
the 'start' parameter is not negative.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20171111/1b9865c0/attachment.html>
More information about the Poppler-bugs
mailing list