<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - NULL pointer dereference vulnerability in poppler 0.59.0 Annot.cc AnnotRichMedia::Configuration::Configuration()"
href="https://bugs.freedesktop.org/show_bug.cgi?id=102607">102607</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>NULL pointer dereference vulnerability in poppler 0.59.0 Annot.cc AnnotRichMedia::Configuration::Configuration()
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86-64 (AMD64)
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>major
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>etovio@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=134071" name="attach_134071" title="POC file of the vulnerability">attachment 134071</a> <a href="attachment.cgi?id=134071&action=edit" title="POC file of the vulnerability">[details]</a></span>
POC file of the vulnerability
A NULL pointer dereference vulnerability was found in poppler Annot.cc
AnnotRichMedia::Configuration::Configuration() which may lead to potential
Denial of Service attack when handling malicious PDF files:
gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -s
./mal-Annot-cc-6770-3-16.pdf a
Syntax Error: End of file inside dictionary
Syntax Warning: No valid XRef size in trailer
Syntax Error (1884): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Segmentation fault
The Configuation() function code is as below:
AnnotRichMedia::Configuration::Configuration(Dict *dict)
{
Object obj1 = dict->lookup("Instances");
if (obj1.isArray()) {
nInstances = obj1.arrayGetLength();
instances = (Instance **)gmallocn(nInstances, sizeof(Instance *));
for (int i = 0; i < nInstances; ++i) {
Object obj2 = obj1.arrayGet(i);
if (obj2.isDict()) {
instances[i] = new AnnotRichMedia::Instance(obj2.getDict());
} else {
instances[i] = NULL;
}
}
} else {
instances = NULL;
}
obj1 = dict->lookup("Name");
if (obj1.isString()) {
name = new GooString(obj1.getString());
} else {
name = NULL;
}
obj1 = dict->lookup("Subtype");
if (obj1.isName()) {
const char *name = obj1.getName();
if (!strcmp(name, "3D")) {
type = type3D;
} else if (!strcmp(name, "Flash")) {
type = typeFlash;
} else if (!strcmp(name, "Sound")) {
type = typeSound;
} else if (!strcmp(name, "Video")) {
type = typeVideo;
} else {
// determine from first instance
if (instances && nInstances > 0) {
AnnotRichMedia::Instance *instance = instances[0];
switch (instance->getType()) {
case AnnotRichMedia::Instance::type3D:
type = type3D;
break;
case AnnotRichMedia::Instance::typeFlash:
type = typeFlash;
break;
case AnnotRichMedia::Instance::typeSound:
type = typeSound;
break;
case AnnotRichMedia::Instance::typeVideo:
type = typeVideo;
break;
default:
type = typeFlash;
break;
}
}
}
}
}
>From the for() loop we can see that it is possible that instances[i] is set to
NULL if a crafted PDF file is being handled, but the following call
instance->getType() is not aware of it.
This vulnerability has been reproduced in both the latest stable release 0.59.0
and the latest code in the repository. xpdf also affected.
A pdf file has been attached to help to reproduce this vulnerability.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>