| Summary: | NULL pointer dereference at JBIG2Stream.cc:1316 | ||
|---|---|---|---|
| Product: | poppler | Reporter: | foca <foca> |
| Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | Proof of concept | ||
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 132094 [details] Proof of concept There is a NULL pointer dereference in JBIG2Stream.cc:1316: 1311 n = (int)(dataEnd - dataPtr); 1312 } else { 1313 n = nChars; 1314 } 1315 for (i = 0; i < n; ++i) { 1316 buffer[i] = *dataPtr++ ^ 0xff; //NULL dereference 1317 } 1318 return n; 1319 } dataPtr is NULL. dataPtr is set at: 1235 void JBIG2Stream::reset() { .... 1258 if (pageBitmap) { 1259 dataPtr = pageBitmap->getDataPtr(); 1260 dataEnd = dataPtr + pageBitmap->getDataSize(); 1261 } else { But in some scenarios pageBitmap->getDataPtr() returns NULL. And there is no check to deal with that case. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)