<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - NULL pointer dereference in FoFiTrueType::getCFFBlock in poppler 0.59.0 FoFiTrueType.cc"
href="https://bugs.freedesktop.org/show_bug.cgi?id=103045">103045</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>NULL pointer dereference in FoFiTrueType::getCFFBlock in poppler 0.59.0 FoFiTrueType.cc
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Other
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>utils
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>luanjunchao@163.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=134574" name="attach_134574" title="poc of null pointer dereference">attachment 134574</a> <a href="attachment.cgi?id=134574&action=edit" title="poc of null pointer dereference">[details]</a></span>
poc of null pointer dereference
When I run "pdftops -level3 -origpagesizes -form -opi -binary -expand -duplex
null3.pdf 1.ps", it crashes. Here is the output:
=================================================================
==83993==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000549543 bp 0xffffffffffffffec sp 0x7ffe4aee3280 T0)
#0 0x549542 in FoFiTrueType::getCFFBlock(char**, int*)
/work/poppler_address/fofi/FoFiTrueType.cc:458
#1 0x549b22 in FoFiTrueType::convertToType1(char*, char const**, bool, void
(*)(void*, char const*, int), void*)
/work/poppler_address/fofi/FoFiTrueType.cc:571
#2 0x4a2515 in PSOutputDev::setupEmbeddedOpenTypeT1CFont(GfxFont*, Ref*,
GooString*) /work/poppler_address/poppler/PSOutputDev.cc:2451
#3 0x4c253f in PSOutputDev::setupFont(GfxFont*, Dict*)
/work/poppler_address/poppler/PSOutputDev.cc:1938
#4 0x4c2e4a in PSOutputDev::setupFonts(Dict*)
/work/poppler_address/poppler/PSOutputDev.cc:1879
#5 0x4bf31b in PSOutputDev::setupResources(Dict*)
/work/poppler_address/poppler/PSOutputDev.cc:1792
#6 0x4c0475 in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*,
std::vector<int, std::allocator<int> > const&, bool)
/work/poppler_address/poppler/PSOutputDev.cc:1703
#7 0x4c43f8 in PSOutputDev::postInit()
/work/poppler_address/poppler/PSOutputDev.cc:1449
#8 0x4c7fa2 in PSOutputDev::checkPageSlice(Page*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*) /work/poppler_address/poppler/PSOutputDev.cc:3244
#9 0x65e5dc in Page::displaySlice(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) /work/poppler_address/poppler/Page.cc:539
#10 0x65e897 in Page::display(OutputDev*, double, double, int, bool, bool,
bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/work/poppler_address/poppler/Page.cc:483
#11 0x4519ac in main /work/poppler_address/utils/pdftops.cc:423
#12 0x7fb603a0582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x452c68 in _start (/work/poppler_address/build/utils/pdftops+0x452c68)
AddressSanitizer can not provide additional info.
We can see there is null pointer dereference vulnerability in function
FoFiTrueType::getCFFBlock. Here is the snippet:
GBool FoFiTrueType::getCFFBlock(char **start, int *length) {
int i;
if (!openTypeCFF) {
return gFalse;
}
i = seekTable("CFF ");
if (!checkRegion(tables[i].offset, tables[i].len)) {
return gFalse;
}
*start = (char *)file + tables[i].offset;
*length = tables[i].len;
return gTrue;
}
the problem is the variable tables.
The poc of pdf is attached.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>