<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - NULL pointer dereference vulnerability in poppler 0.59.0 JPEG2000Stream.cc JPXStream::init()"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=102916">102916</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>NULL pointer dereference vulnerability in poppler 0.59.0 JPEG2000Stream.cc JPXStream::init()
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>major
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>etovio@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=134397" name="attach_134397" title="POC file of the vulnerability">attachment 134397</a> <a href="attachment.cgi?id=134397&action=edit" title="POC file of the vulnerability">[details]</a></span>
POC file of the vulnerability

A NULL pointer dereference vulnerability was found in poppler 0.59.0
JPEG2000Stream.cc JPXStream::init() which may lead to potential attack when
handling crafted PDF files:

gzq@ubuntu:~/mal$ /home/gzq/install/poppler/bin/pdftohtml -q mal-jpeg2000.pdf .
Segmentation fault

gzq@ubuntu:~/mal$ gdb -q /home/gzq/install/poppler/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler/bin/pdftohtml...done.
(gdb) r -q mal-jpeg2000.pdf 
Starting program: /home/gzq/install/poppler/bin/pdftohtml -q mal-jpeg2000.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555956134 in JPXStream::init (this=this@entry=0x555555d03aa0) at
JPEG2000Stream.cc:229
229         priv->npixels = priv->image->comps[0].w * priv->image->comps[0].h;
(gdb) bt
#0  0x0000555555956134 in JPXStream::init (this=this@entry=0x555555d03aa0) at
JPEG2000Stream.cc:229
#1  0x0000555555957ce6 in JPXStream::getImageParams (this=0x555555d03aa0,
bitsPerComponent=0x7fffffffd7b8, csMode=0x7fffffffd7bc) at
JPEG2000Stream.cc:160
#2  0x00005555556dd507 in Gfx::doImage (this=this@entry=0x555555d00340,
ref=ref@entry=0x7fffffffdea0, str=0x555555d03aa0,
inlineImg=inlineImg@entry=false) at Gfx.cc:4191
#3  0x00005555556e45f2 in Gfx::opXObject (this=0x555555d00340, args=<optimized
out>, numArgs=<optimized out>) at Gfx.cc:4130
#4  0x00005555556cd16b in Gfx::go (this=this@entry=0x555555d00340,
topLevel=topLevel@entry=true) at Gfx.cc:744
#5  0x00005555556cf3cd in Gfx::display (this=this@entry=0x555555d00340,
obj=obj@entry=0x7fffffffe250, topLevel=topLevel@entry=true) at Gfx.cc:706
#6  0x00005555557a8e7f in Page::displaySlice (this=0x555555d007f0,
out=0x555555cfd600, out@entry=0x0, hDPI=108,
hDPI@entry=4.6355706591866836e-310, vDPI=108, vDPI@entry=-nan(0xfffffffffffff),
rotate=0, rotate@entry=-1, useMediaBox=useMediaBox@entry=255, 
    crop=crop@entry=255, sliceX=sliceX@entry=-1, sliceY=-1, sliceW=-1,
sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
Page.cc:560
#7  0x00005555557a96c0 in Page::display (this=<optimized out>,
out=out@entry=0x0, hDPI=hDPI@entry=4.6355706591866836e-310,
vDPI=vDPI@entry=-nan(0xfffffffffffff), rotate=rotate@entry=-1,
useMediaBox=useMediaBox@entry=255, crop=crop@entry=255, 
    printing=printing@entry=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
Page.cc:483
#8  0x00005555557b7b87 in PDFDoc::displayPage (this=this@entry=0x555555cfce70,
out=0x0, out@entry=0x555555cfd600, page=page@entry=1,
hDPI=4.6355706591866836e-310, hDPI@entry=108, vDPI=-nan(0xfffffffffffff),
vDPI@entry=108, rotate=-1, rotate@entry=0, 
    useMediaBox=useMediaBox@entry=true, crop=crop@entry=false,
printing=<optimized out>, abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=false) at PDFDoc.cc:488
#9  0x00005555557b7d57 in PDFDoc::displayPages (this=0x555555cfce70,
out=0x555555cfd600, firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0,
useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0,
abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0) at PDFDoc.cc:504
#10 0x00005555555b2a51 in main (argc=<optimized out>, argv=<optimized out>) at
pdftohtml.cc:390
(gdb) print priv
$1 = (JPXStreamPrivate *) 0x555555d03af0
(gdb) print priv->image
$2 = (opj_image_t *) 0x555555d04d70
(gdb) print priv->image->comps[0]
Cannot access memory at address 0x0
(gdb) print *priv->image
$3 = {x0 = 0, y0 = 0, x1 = 0, y1 = 0, numcomps = 0, color_space =
CLRSPC_UNSPECIFIED, comps = 0x0, icc_profile_buf = 0x0, icc_profile_len = 0}
(gdb) 

The crafted pdf file has been attached to help to reproduce the issue.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>