| Summary: | NULL pointer dereference in GooString.cc:867 | ||
|---|---|---|---|
| Product: | poppler | Reporter: | foca <foca> |
| Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | Proof of concept | ||
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 132093 [details] Proof of concept There is a NULL dereference parsing the attached PoC.pdf. The NULL dereference happens in GooString.cc:867 863 int GooString::cmp(const char *sA) const { 864 int n1, i, x; 865 const char *p1, *p2; 866 867 n1 = length; "this" is NULL so this->n1 at 867 generates the SIGSEGV. The reason this is null is because the previous function GfxCIDFont::getCodeToGIDMap in GfxFont.cc:2375 calls a method of a NULL object: 2373 *mapsizep = 0; 2374 if (!ctu) return NULL; 2375 if (getCollection()->cmp("Adobe-Identity") == 0) return NULL; 2376 if (getEmbeddedFontID(&embID)) { Parsing the PoC.pdf getCollection() returns NULL but the method cmp is called. The solution should be check for the return value before call cmp: 2375 if (getCollection() == NULL || getCollection()->cmp("Adobe-Identity") == 0) return NULL; PoC attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)