<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - NULL pointer dereference in GooString.h:121"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101505">101505</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>NULL pointer dereference in GooString.h:121
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132070" name="attach_132070" title="Proof of concept">attachment 132070</a> <a href="attachment.cgi?id=132070&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a NULL pointer dereference. 

The SIGSEGV happens in GooString.h:121:
121       char *getCString() { return s; }

But the problem comes from GfxFont.cc:826:
825       //----- CID font substitution
826       if ((path = globalParams->findCCFontFile(
827                                     ((GfxCIDFont
*)this)->getCollection()))) {
828         if ((fontLoc = getExternalFont(path, gTrue))) {

((GfxCIDFont *)this)->getCollection()) return NULL, and this is not checked in
this function or in any of the following functions until the NULL dereference
happens at getCString:
#0  0x000000000040b480 in GooString::getCString (this=0x0) at
../goo/GooString.h:121
#1  0x00000000004a67c9 in GooHash::hash (this=0x7fc350, key=0x0) at
GooHash.cc:369
#2  0x00000000004a66b5 in GooHash::find (this=0x7fc350, key=0x0,
h=0x7fffffffd414) at GooHash.cc:342
#3  0x00000000004a5e21 in GooHash::lookup (this=0x7fc350, key=0x0) at
GooHash.cc:136

A possible solution is to verify that the returned value of getCollection is !=
NULL:
826       if (((GfxCIDFont *)this)->getCollection() != NULL && (path =
globalParams->findCCFontFile(
827                                     ((GfxCIDFont
*)this)->getCollection()))) {

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>