<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - Out of bounds memory read when loading zero-bytes PDF" href="https://bugs.freedesktop.org/show_bug.cgi?id=103552">103552</a> </td> </tr> <tr> <th>Summary</th> <td>Out of bounds memory read when loading zero-bytes PDF </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>simon-freedesktop@exyr.org </td> </tr></table> <p> <div> <pre>Steps to reproduce: * Call poppler_document_new_from_data with data = (char*) 0x1 and len = 0 (0x1 is the dummy pointer that Rust uses when not allocating heap memory in a zero-size vector of bytes Vec<u8>.) Expected result: * A null pointer is returned and an error is set Actual result: * Segfault because this method of MemStream: int getChar() override { return (bufPtr < bufEnd) ? (*bufPtr++ & 0xff) : EOF; } … dereferences a null pointer. It was entered with bufEnd == 0x1 (as expected) and bufPtr == 0x0 (incorrect, should be 0x1). It looks like this MemStream comes from str->makeSubStream() being called with an incorrect start position of -1 in XRef::readXRef(). This value came from getStartXRef() which apparently uses it to signal that "startxref" wasn’t found. But the caller PDFDoc::setup() doesn’t check for that error and uses the value as a position for the XRef constructor.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>