Bug 101431

Summary: Null pointer dereference in function getRow at CairoOutputDev.cc:3160
Product: poppler Reporter: foca <foca>
Component: cairo backendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Proof of concept

Description foca@salesforce.com 2017-06-14 22:46:34 UTC
Created attachment 131963 [details]
Proof of concept

Hi, 

There is a null pointer dereference bug in the function getRow (CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL value returned by imgStr->getLine();

3122   void getRow(int row_num, uint32_t *row_data) override {
3123     int i;
3124     Guchar *pix;
3125 
3126     if (row_num <= current_row)
3127       return;
3128 
3129     while (current_row  < row_num) {
3130       pix = imgStr->getLine();
3131       current_row++;
3132     }
3133 
3134     if (unlikely(pix == NULL)) {
3135       memset(row_data, 0, width*4);
3136       if (!imageError) {
3137         error(errInternal, -1, "Bad image stream");
3138         imageError = gTrue;
3139       }


This scenario (pix == NULL) is checked later at the line 3134. But the execution isn't stopped so the lines 3160 are reached with pix holding a NULL pointer.

3156     if (maskColors) {
3157       for (int x = 0; x < width; x++) {
3158         bool is_opaque = false;
3159         for (int i = 0; i < colorMap->getNumPixelComps(); ++i) {
3160           if (pix[i] < maskColors[2*i] ||
3161               pix[i] > maskColors[2*i+1]) {
3162             is_opaque = true;
3163             break;
3164           }
3165         }

A solution could be exiting the function after the error is detected at 3138.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 GitLab Migration User 2018-08-20 21:45:33 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/59.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.