<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Reading outside bounds at Functions.cc:218"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101501">101501</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Reading outside bounds at Functions.cc:218
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132065" name="attach_132065" title="Proof of concept">attachment 132065</a> <a href="attachment.cgi?id=132065&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a bug reading outside bounds at Functions.cc:218

 212 }
 213 
 214 void IdentityFunction::transform(double *in, double *out) {
 215   int i;
 216 
 217   for (i = 0; i < funcMaxOutputs; ++i) {
 218     out[i] = in[i];
 219   }
 220 }

funcMacOutputs is defined in Functions.h:
#define funcMaxOutputs       32

Parsing the PoC.pdf, this function is called from GfxFunctionShading::getColor:

3957 void GfxFunctionShading::getColor(double x, double y, GfxColor *color) {
3958   double in[2], out[gfxColorMaxComps];
3959   int i;
3960 
3961   // NB: there can be one function with n outputs or n functions with
3962   // one output each (where n = number of color components)
3963   for (i = 0; i < gfxColorMaxComps; ++i) {
3964     out[i] = 0;
3965   }
3966   in[0] = x;
3967   in[1] = y;
3968   for (i = 0; i < nFuncs; ++i) {
3969     funcs[i]->transform(in, &out[i]);
3970   }
3971   for (i = 0; i < gfxColorMaxComps; ++i) {
3972     color->c[i] = dblToCol(out[i]);
3973   }
3974 }

Where the variable in has only 2 elements, instead of the 32 read at
IdentityFunction::transform. So 30 elements are read after the in.

This could be fixed increasing the number of elements for the variable in:
3958   double in[gfxColorMaxComps], out[gfxColorMaxComps];

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>