<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - NULL pointer dereference vulnerability in poppler 0.59.0 GfxState.cc" href="https://bugs.freedesktop.org/show_bug.cgi?id=103016">103016</a> </td> </tr> <tr> <th>Summary</th> <td>NULL pointer dereference vulnerability in poppler 0.59.0 GfxState.cc </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>All </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>major </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>etovio@gmail.com </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=134518" name="attach_134518" title="POC file of the vulnerability">attachment 134518</a> <a href="attachment.cgi?id=134518&action=edit" title="POC file of the vulnerability">[details]</a></span> POC file of the vulnerability In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document. Attackers may exploit this vulnerability by persuading users to open crafted PDF files. GDB track is as follow: gzq@ubuntu:~/fuzz/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftocairo Reading symbols from /home/gzq/install/poppler-dev/bin/pdftocairo...done. (gdb) r -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf Starting program: /home/gzq/install/poppler-dev/bin/pdftocairo -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Bogus memory allocation size Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>, in=<optimized out>, out=<optimized out>, length=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933 5933 *inp = byte_lookup[*inp * nComps + i]; (gdb) bt #0 0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>, in=<optimized out>, out=<optimized out>, length=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933 #1 0x000000000042542b in CairoOutputDev::drawSoftMaskedImage (this=<optimized out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>, width=<optimized out>, height=<optimized out>, colorMap=0x14b, interpolate=<optimized out>, maskStr=<optimized out>, maskWidth=<optimized out>, maskHeight=<optimized out>, maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/CairoOutputDev.cc:2717 #2 0x00007ffff72abd4c in Gfx::doImage (this=<optimized out>, ref=<optimized out>, str=<optimized out>, inlineImg=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4596 #3 0x00007ffff727444b in Gfx::opXObject (this=0x68fd00, args=<optimized out>, numArgs=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4173 #4 0x00007ffff7295587 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:886 #5 0x00007ffff729391d in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:750 #6 0x00007ffff7292fb5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:712 #7 0x00007ffff73a347e in Page::displaySlice (this=<optimized out>, out=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=-1, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Page.cc:560 #8 0x00007ffff73b0641 in PDFDoc::displayPageSlice (this=0x68bd00, out=0x68cdb0, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=false, crop=false, printing=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/PDFDoc.cc:517 #9 0x0000000000411e8d in renderPage (doc=0x68bd00, cairoOut=<optimized out>, pg=<optimized out>, page_w=<optimized out>, page_h=<optimized out>, output_w=<optimized out>, output_h=<optimized out>) at /home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:728 #10 main (argc=<optimized out>, argv=<optimized out>) at /home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:1268 (gdb) The POC file has been attached to reproduce this issue.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>