<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - No validation of returned value leads to null dereference at Annot.cc:5404"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101429">101429</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>No validation of returned value leads to null dereference at Annot.cc:5404
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=131960" name="attach_131960" title="Proof of concept">attachment 131960</a> <a href="attachment.cgi?id=131960&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

No validation of returned value leads to null dereference. The vulnerability is
at 'Annot.cc:5404' in the function 'AnnotScreen::initialize'
Annot.cc
5403     action = LinkAction::parseAction(&obj1,
doc->getCatalog()->getBaseURI());
5404     if (action->getKind() == actionRendition && page == 0) {
5405       error (errSyntaxError, -1, "Invalid Rendition action: associated
screen annotation without P");
5406       delete action;
5407       action = NULL;
5408       ok = gFalse;
5409     }

In 5403 action gets a NULL value when it should be a LinkJavaScript object,
however the getKind method is called in 5404 without checking if action is
valid (!= NULL).

Prior to where the crash occurs, action is assigned a value:

5403        action = LinkAction::parseAction(&obj1,
doc->getCatalog()->getBaseURI());

The line above calls the parseAction function with the object1 and a base URI
that contains '0x7fffffffded0: "\020\337\377\377\377\177"' as baseURI which is
not valid and so null is returned for action as shown below:

Link.cc
133   // action is missing or wrong type
134   } else {
135     error(errSyntaxWarning, -1, "parseAction: Unknown annotation action
object: URI = '{0:s}'",
136           baseURI ? baseURI->getCString() : "NULL");
137     action = NULL;
138   }

This could be fixed just checking for action != NULL after Annot.cc:5403

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>