27366 – NULL pointer dereference in CairoOutputDev::restoreState()

Bug 27366 - NULL pointer dereference in CairoOutputDev::restoreState()

Summary: NULL pointer dereference in CairoOutputDev::restoreState()

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	cairo backend (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-03-29 14:07 UTC by Kees Cook
Modified:	2010-03-29 14:26 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Kees Cook 2010-03-29 14:07:52 UTC

Forwarded from Dan Rosenberg, in https://launchpad.net/bugs/538772

When processing a malformed PDF, libpoppler segfaults by dereferencing an uninitialized pointer, in the function CairoOutputDev::restoreState(), in poppler-0.12.0/poppler/CairoOutputDev.cc. The attached reproducer (please keep private) crashes Evince (v2.28.1), using libpoppler, on my Karmic machine by causing restoreState() to be called when maskStack is uninitialized, leading to an invalid dereference at:

  mask = ms->mask;

Given that there is a call to:

  delete ms;

a few lines down without checking that ms has been initialized, this may be a potential security issue. In the worst case, this may lead to memory corruption leading to code execution by tricking a user into opening a malformed PDF, but I am not familiar enough with the code to actually show that this is possible. In fact, I'm not even sure this is a security issue at all, but I figured it was better to be safe than sorry.

Comment 1 Albert Astals Cid 2010-03-29 14:26:59 UTC

You might want to update, 0.12 series has had 4 stable releases after 0.12.0 and we already fixed that bug.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.