<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - NULL pointer dereference in JBIG2Stream.cc:689"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101525">101525</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>NULL pointer dereference in JBIG2Stream.cc:689
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132095" name="attach_132095" title="Proof of concept">attachment 132095</a> <a href="attachment.cgi?id=132095&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a NULL pointer dereference in JBIG2Stream.cc:689:

688         { return (x < 0 || x >= w || y < 0 || y >= h) ? 0 :
689                  (data[y * line + (x >> 3)] >> (7 - (x & 7))) & 1; }

Parsing the attached PoC.pdf the variable data is NULL and the NULL pointer
dereference happens.

This function is called from JBIG2Bitmap::getSlice:
759     JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint
hA) {
760       JBIG2Bitmap *slice;
761       Guint xx, yy;
762     
763       slice = new JBIG2Bitmap(0, wA, hA);
764       if (slice->isOk()) {
765         slice->clearToZero();
766         for (yy = 0; yy < hA; ++yy) {
767           for (xx = 0; xx < wA; ++xx) {
768             if (getPixel(x + xx, y + yy)) {

The problem is the this->data is NULL but the slice->data is valid because it
was created with valid wA and hA values. Then the slice->isOk() return True,
and the this->data is used inside the getPixel.

A solution could be to check for data != NULL at line 764:
764       if (data != NULL && slice->isOk()) {

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>