Bug 101523

Summary: NULL pointer dereference in GooString.cc:867
Product: poppler Reporter: foca <foca>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
i915 platform: i915 features:
Attachments: Proof of concept

Description foca@salesforce.com 2017-06-20 16:53:38 UTC
Created attachment 132093 [details]
Proof of concept

There is a NULL dereference parsing the attached PoC.pdf.

The NULL dereference happens in GooString.cc:867
863	int GooString::cmp(const char *sA) const {
864	  int n1, i, x;
865	  const char *p1, *p2;
867	  n1 = length;

"this" is NULL so this->n1 at 867 generates the SIGSEGV. The reason this is null is because the previous function GfxCIDFont::getCodeToGIDMap in GfxFont.cc:2375 calls a method of a NULL object:

2373	  *mapsizep = 0;
2374	  if (!ctu) return NULL;
2375	  if (getCollection()->cmp("Adobe-Identity") == 0) return NULL;
2376	  if (getEmbeddedFontID(&embID)) {

Parsing the PoC.pdf getCollection() returns NULL but the method cmp is called.

The solution should be check for the return value before call cmp:
2375	  if (getCollection() == NULL || getCollection()->cmp("Adobe-Identity") == 0) return NULL;

PoC attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.