<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Null pointer dereference in function getRow at CairoOutputDev.cc:3160"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101431">101431</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Null pointer dereference in function getRow at CairoOutputDev.cc:3160
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>cairo backend
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=131963" name="attach_131963" title="Proof of concept">attachment 131963</a> <a href="attachment.cgi?id=131963&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

Hi, 

There is a null pointer dereference bug in the function getRow
(CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL
value returned by imgStr->getLine();

3122   void getRow(int row_num, uint32_t *row_data) override {
3123     int i;
3124     Guchar *pix;
3125 
3126     if (row_num <= current_row)
3127       return;
3128 
3129     while (current_row  < row_num) {
3130       pix = imgStr->getLine();
3131       current_row++;
3132     }
3133 
3134     if (unlikely(pix == NULL)) {
3135       memset(row_data, 0, width*4);
3136       if (!imageError) {
3137         error(errInternal, -1, "Bad image stream");
3138         imageError = gTrue;
3139       }


This scenario (pix == NULL) is checked later at the line 3134. But the
execution isn't stopped so the lines 3160 are reached with pix holding a NULL
pointer.

3156     if (maskColors) {
3157       for (int x = 0; x < width; x++) {
3158         bool is_opaque = false;
3159         for (int i = 0; i < colorMap->getNumPixelComps(); ++i) {
3160           if (pix[i] < maskColors[2*i] ||
3161               pix[i] > maskColors[2*i+1]) {
3162             is_opaque = true;
3163             break;
3164           }
3165         }

A solution could be exiting the function after the error is detected at 3138.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>