[Poppler-bugs] [Bug 103016] New: NULL pointer dereference vulnerability in poppler 0.59.0 GfxState.cc

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Sep 28 02:00:59 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=103016

            Bug ID: 103016
           Summary: NULL pointer dereference vulnerability in poppler
                    0.59.0 GfxState.cc
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: etovio at gmail.com

Created attachment 134518
  --> https://bugs.freedesktop.org/attachment.cgi?id=134518&action=edit
POC file of the vulnerability

In Poppler 0.59.0, a NULL Pointer Dereference exists in the
GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF
document. Attackers may exploit this vulnerability by persuading users to open
crafted PDF files.

GDB track is as follow:

gzq at ubuntu:~/fuzz/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftocairo
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftocairo...done.
(gdb) r -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf 
Starting program: /home/gzq/install/poppler-dev/bin/pdftocairo -q -svg
/home/gzq/work/backup/poppler-gfxstat-5933.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Bogus memory allocation size

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>,
in=<optimized out>, out=<optimized out>, length=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
5933            *inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0  0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>,
in=<optimized out>, out=<optimized out>, length=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
#1  0x000000000042542b in CairoOutputDev::drawSoftMaskedImage (this=<optimized
out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>,
width=<optimized out>, height=<optimized out>, colorMap=0x14b,
interpolate=<optimized out>, maskStr=<optimized out>, 
    maskWidth=<optimized out>, maskHeight=<optimized out>,
maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/CairoOutputDev.cc:2717
#2  0x00007ffff72abd4c in Gfx::doImage (this=<optimized out>, ref=<optimized
out>, str=<optimized out>, inlineImg=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4596
#3  0x00007ffff727444b in Gfx::opXObject (this=0x68fd00, args=<optimized out>,
numArgs=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4173
#4  0x00007ffff7295587 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:886
#5  0x00007ffff729391d in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:750
#6  0x00007ffff7292fb5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<error reading variable: access outside bounds of object
referenced via synthetic pointer>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:712
#7  0x00007ffff73a347e in Page::displaySlice (this=<optimized out>,
out=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>,
rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>,
sliceX=-1, sliceY=<optimized out>, sliceW=<optimized out>, 
    sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized
out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/gzq/work/sourcecode/poppler/poppler/Page.cc:560
#8  0x00007ffff73b0641 in PDFDoc::displayPageSlice (this=0x68bd00,
out=0x68cdb0, page=1, hDPI=<optimized out>, vDPI=<optimized out>,
rotate=<optimized out>, useMediaBox=false, crop=false, printing=<optimized
out>, sliceX=<optimized out>, sliceY=<optimized out>, 
    sliceW=<optimized out>, sliceH=<optimized out>, abortCheckCbk=<optimized
out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/gzq/work/sourcecode/poppler/poppler/PDFDoc.cc:517
#9  0x0000000000411e8d in renderPage (doc=0x68bd00, cairoOut=<optimized out>,
pg=<optimized out>, page_w=<optimized out>, page_h=<optimized out>,
output_w=<optimized out>, output_h=<optimized out>) at
/home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:728
#10 main (argc=<optimized out>, argv=<optimized out>) at
/home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:1268
(gdb)

The POC file has been attached to reproduce this issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170928/511116dc/attachment.html>

More information about the Poppler-bugs mailing list