Summary: |
Null pointer dereference in function getRow at CairoOutputDev.cc:3160 |
Product: |
poppler
|
Reporter: |
foca <foca> |
Component: |
cairo backend | Assignee: |
poppler-bugs <poppler-bugs> |
Status: |
RESOLVED
MOVED
|
QA Contact: |
|
Severity: |
normal
|
|
|
Priority: |
medium
|
|
|
Version: |
unspecified | |
|
Hardware: |
All | |
|
OS: |
All | |
|
Whiteboard: |
|
i915 platform:
|
|
i915 features:
|
|
Attachments: |
Proof of concept
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 131963 [details] Proof of concept Hi, There is a null pointer dereference bug in the function getRow (CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL value returned by imgStr->getLine(); 3122 void getRow(int row_num, uint32_t *row_data) override { 3123 int i; 3124 Guchar *pix; 3125 3126 if (row_num <= current_row) 3127 return; 3128 3129 while (current_row < row_num) { 3130 pix = imgStr->getLine(); 3131 current_row++; 3132 } 3133 3134 if (unlikely(pix == NULL)) { 3135 memset(row_data, 0, width*4); 3136 if (!imageError) { 3137 error(errInternal, -1, "Bad image stream"); 3138 imageError = gTrue; 3139 } This scenario (pix == NULL) is checked later at the line 3134. But the execution isn't stopped so the lines 3160 are reached with pix holding a NULL pointer. 3156 if (maskColors) { 3157 for (int x = 0; x < width; x++) { 3158 bool is_opaque = false; 3159 for (int i = 0; i < colorMap->getNumPixelComps(); ++i) { 3160 if (pix[i] < maskColors[2*i] || 3161 pix[i] > maskColors[2*i+1]) { 3162 is_opaque = true; 3163 break; 3164 } 3165 } A solution could be exiting the function after the error is detected at 3138. PoC is attached. This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)