<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Null dereference due to not checking return value of cairo_image_surface_get_data"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101430">101430</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Null dereference due to not checking return value of cairo_image_surface_get_data
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>cairo backend
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=131961" name="attach_131961" title="Proof of concept">attachment 131961</a> <a href="attachment.cgi?id=131961&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a Null dereference bug due to not checking return value of a parsing
function 'cairo_image_surface_get_data'. 

The function 'cairo_image_surface_get_data(source)' is supposed to return a
pointer to the data of the image surface but it returns NULL if surface is not
an image surface. Program should not continue as there is no image surface, but
it does.

Function gets called and the pointer (in this case NULL) gets stored in
source_data CairoOutputDev.cc:1831:

1830     /* convert to a luminocity map */
1831     uint32_t *source_data =
(uint32_t*)cairo_image_surface_get_data(source);
1832     /* get stride in units of 32 bits */
1833     int stride = cairo_image_surface_get_stride(source)/4;
1834     for (int y=0; y<height; y++) {
1835       for (int x=0; x<width; x++) {
1836         int lum = alpha ? fill_opacity : luminocity(source_data[y*stride +
x]);

When Alpha is false, which in this situation it is, luminocity is called with
the location of source_data[0] at CairoOutputDev.cc:1836 (As x=0 and y=0 on the
first run of the loop).

To fix this bug the code should check after line 1831 for source_data != NULL.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>