[Poppler-bugs] [Bug 103045] New: NULL pointer dereference in FoFiTrueType::getCFFBlock in poppler 0.59.0 FoFiTrueType.cc
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sat Sep 30 07:16:45 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=103045
Bug ID: 103045
Summary: NULL pointer dereference in FoFiTrueType::getCFFBlock
in poppler 0.59.0 FoFiTrueType.cc
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: utils
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: luanjunchao at 163.com
Created attachment 134574
--> https://bugs.freedesktop.org/attachment.cgi?id=134574&action=edit
poc of null pointer dereference
When I run "pdftops -level3 -origpagesizes -form -opi -binary -expand -duplex
null3.pdf 1.ps", it crashes. Here is the output:
=================================================================
==83993==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000549543 bp 0xffffffffffffffec sp 0x7ffe4aee3280 T0)
#0 0x549542 in FoFiTrueType::getCFFBlock(char**, int*)
/work/poppler_address/fofi/FoFiTrueType.cc:458
#1 0x549b22 in FoFiTrueType::convertToType1(char*, char const**, bool, void
(*)(void*, char const*, int), void*)
/work/poppler_address/fofi/FoFiTrueType.cc:571
#2 0x4a2515 in PSOutputDev::setupEmbeddedOpenTypeT1CFont(GfxFont*, Ref*,
GooString*) /work/poppler_address/poppler/PSOutputDev.cc:2451
#3 0x4c253f in PSOutputDev::setupFont(GfxFont*, Dict*)
/work/poppler_address/poppler/PSOutputDev.cc:1938
#4 0x4c2e4a in PSOutputDev::setupFonts(Dict*)
/work/poppler_address/poppler/PSOutputDev.cc:1879
#5 0x4bf31b in PSOutputDev::setupResources(Dict*)
/work/poppler_address/poppler/PSOutputDev.cc:1792
#6 0x4c0475 in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*,
std::vector<int, std::allocator<int> > const&, bool)
/work/poppler_address/poppler/PSOutputDev.cc:1703
#7 0x4c43f8 in PSOutputDev::postInit()
/work/poppler_address/poppler/PSOutputDev.cc:1449
#8 0x4c7fa2 in PSOutputDev::checkPageSlice(Page*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*) /work/poppler_address/poppler/PSOutputDev.cc:3244
#9 0x65e5dc in Page::displaySlice(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) /work/poppler_address/poppler/Page.cc:539
#10 0x65e897 in Page::display(OutputDev*, double, double, int, bool, bool,
bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/work/poppler_address/poppler/Page.cc:483
#11 0x4519ac in main /work/poppler_address/utils/pdftops.cc:423
#12 0x7fb603a0582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x452c68 in _start (/work/poppler_address/build/utils/pdftops+0x452c68)
AddressSanitizer can not provide additional info.
We can see there is null pointer dereference vulnerability in function
FoFiTrueType::getCFFBlock. Here is the snippet:
GBool FoFiTrueType::getCFFBlock(char **start, int *length) {
int i;
if (!openTypeCFF) {
return gFalse;
}
i = seekTable("CFF ");
if (!checkRegion(tables[i].offset, tables[i].len)) {
return gFalse;
}
*start = (char *)file + tables[i].offset;
*length = tables[i].len;
return gTrue;
}
the problem is the variable tables.
The poc of pdf is attached.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170930/1cc6a367/attachment-0001.html>
More information about the Poppler-bugs
mailing list