<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - NULL pointer dereference vulnerability in poppler 0.59.0 FoFiType1C::convertToType0:907"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=102653">102653</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>NULL pointer dereference vulnerability in poppler 0.59.0 FoFiType1C::convertToType0:907
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>utils
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>luanjunchao@163.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=134155" name="attach_134155" title="a corpus of crash">attachment 134155</a> <a href="attachment.cgi?id=134155&action=edit" title="a corpus of crash">[details]</a></span>
a corpus of crash

a NULL pointer dereference vulnerability is triggered in
FoFiType1C::convertToType0 when I use pdftops to convert pdf to ps file.

We can trace it with gdb:

#gdb -q ./utils/pdftops
Reading symbols from ./utils/pdftops...done.

(gdb) run crash.pdf a
Starting program: /work/poppler-0.59.0/utils/pdftops
"../output_ps/crashes/id:000000,sig:11,src:000001,op:flip1,pos:10912" a
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000544f85 in FoFiType1C::convertToType0 (this=<optimized out>,
psName=<optimized out>, codeMap=<optimized out>, nCodes=<optimized out>,
outputFunc=<optimized out>, outputStream=0xb48ab0)
    at FoFiType1C.cc:907
907         if (privateDicts[fd].hasFontMatrix) {
(gdb) bt
#0  0x0000000000544f85 in FoFiType1C::convertToType0 (this=<optimized out>,
psName=<optimized out>, codeMap=<optimized out>, nCodes=<optimized out>,
outputFunc=<optimized out>, 
    outputStream=0xb48ab0) at FoFiType1C.cc:907
#1  0x000000000048eab9 in PSOutputDev::setupEmbeddedCIDType0Font
(this=0xb48e70, font=<optimized out>, id=0xb4c288, psName=0xb3e310) at
PSOutputDev.cc:2655
#2  0x00000000004854e8 in PSOutputDev::setupFont (this=0xb48e70,
font=<optimized out>, parentResDict=<optimized out>) at PSOutputDev.cc:1953
#3  0x000000000048339b in PSOutputDev::setupFonts (this=0xb48e70,
resDict=0xb49910) at PSOutputDev.cc:1885
#4  0x00000000004804f1 in PSOutputDev::setupResources (this=0xb48e70,
resDict=0xb49910) at PSOutputDev.cc:1798
#5  0x000000000047c2bf in PSOutputDev::writeDocSetup (this=0xb48e70,
doc=<optimized out>, catalog=<optimized out>, pages=..., duplexA=<optimized
out>) at PSOutputDev.cc:1696
#6  0x0000000000478f93 in PSOutputDev::postInit (this=<optimized out>) at
PSOutputDev.cc:1455
#7  0x0000000000495a44 in PSOutputDev::checkPageSlice (this=0xb48e70,
page=0xb49e20, rotateA=0, 
    useMediaBox=<error reading variable: access outside bounds of object
referenced via synthetic pointer>, crop=true, sliceX=-1, sliceY=-1, sliceW=0,
sliceH=11836960, printing=<optimized out>, 
    abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>,
annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized
out>) at PSOutputDev.cc:3246
#8  0x0000000000701dd4 in Page::displaySlice (this=0xb49e20, out=<optimized
out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>,
useMediaBox=<optimized out>, 
    crop=<optimized out>, sliceX=-1, sliceY=1, sliceW=12023799, sliceH=-1,
printing=<optimized out>, abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, 
    annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized
out>, copyXRef=<optimized out>) at Page.cc:539
#9  0x0000000000701d03 in Page::display (this=0xb4b4b2, out=0x85d300,
hDPI=1.3980432860952889e-76, vDPI=2.3715151000379834e-322, rotate=11832208,
useMediaBox=<optimized out>, 
    crop=<optimized out>, printing=<optimized out>, abortCheckCbk=0x0,
abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>) at Page.cc:481
#10 0x00000000004218f2 in PDFDoc::displayPage (this=0xb3df80, out=0xb48e70,
page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=0, 
    useMediaBox=<error reading variable: access outside bounds of object
referenced via synthetic pointer>, 
    crop=<error reading variable: access outside bounds of object referenced
via synthetic pointer>, printing=<optimized out>, abortCheckCbk=<optimized
out>, abortCheckCbkData=<optimized out>, 
    annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized
out>, copyXRef=<optimized out>) at PDFDoc.cc:485
#11 0x0000000000408184 in main (argc=<optimized out>, argv=<optimized out>) at
pdftops.cc:422

We can see the code in PsOutputDev.cc:2655

 // convert it to a Type 0 font
  if ((fontBuf = font->readEmbFontFile(xref, &fontLen))) {
    if ((ffT1C = FoFiType1C::make(fontBuf, fontLen))) {
      if (globalParams->getPSLevel() >= psLevel3) {
        // Level 3: use a CID font
        ffT1C->convertToCIDType0(psName->getCString(), NULL, 0,
                                 outputFunc, outputStream);
      } else {
        // otherwise: use a non-CID composite font
        ffT1C->convertToType0(psName->getCString(), NULL, 0,
                              outputFunc, outputStream);
      }
      delete ffT1C;
    }
    gfree(fontBuf);
  }

it creates a new FoFiType1C Object with null privateDicts and call
convertToType0, and in line 907, it access privateDicts directly without
checking if it's initialized.

FoFiType1C *FoFiType1C::make(char *fileA, int lenA) {
  FoFiType1C *ff;

  ff = new FoFiType1C(fileA, lenA, gFalse);
  if (!ff->parse()) {
    delete ff;
    return NULL;
  }
  return ff;
}

FoFiType1C::FoFiType1C(char *fileA, int lenA, GBool freeFileDataA):
  FoFiBase(fileA, lenA, freeFileDataA)
{
  name = NULL;
  encoding = NULL;
  privateDicts = NULL;
  fdSelect = NULL;
  charset = NULL;
  charsetLength = 0;
}

void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes,
                                FoFiOutputFunc outputFunc,
                                void *outputStream) {
...
if (privateDicts[fd].hasFontMatrix) {
...</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>