Bug 103045

Summary: NULL pointer dereference in FoFiTrueType::getCFFBlock in poppler 0.59.0 FoFiTrueType.cc
Product: poppler Reporter: junchao luan <luanjunchao>
Component: utilsAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
i915 platform: i915 features:
Attachments: poc of null pointer dereference

Description junchao luan 2017-09-30 07:16:45 UTC
Created attachment 134574 [details]
poc of null pointer dereference

When I run "pdftops -level3 -origpagesizes -form -opi -binary -expand -duplex null3.pdf 1.ps", it crashes. Here is the output:

==83993==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000549543 bp 0xffffffffffffffec sp 0x7ffe4aee3280 T0)
    #0 0x549542 in FoFiTrueType::getCFFBlock(char**, int*) /work/poppler_address/fofi/FoFiTrueType.cc:458
    #1 0x549b22 in FoFiTrueType::convertToType1(char*, char const**, bool, void (*)(void*, char const*, int), void*) /work/poppler_address/fofi/FoFiTrueType.cc:571
    #2 0x4a2515 in PSOutputDev::setupEmbeddedOpenTypeT1CFont(GfxFont*, Ref*, GooString*) /work/poppler_address/poppler/PSOutputDev.cc:2451
    #3 0x4c253f in PSOutputDev::setupFont(GfxFont*, Dict*) /work/poppler_address/poppler/PSOutputDev.cc:1938
    #4 0x4c2e4a in PSOutputDev::setupFonts(Dict*) /work/poppler_address/poppler/PSOutputDev.cc:1879
    #5 0x4bf31b in PSOutputDev::setupResources(Dict*) /work/poppler_address/poppler/PSOutputDev.cc:1792
    #6 0x4c0475 in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/poppler_address/poppler/PSOutputDev.cc:1703
    #7 0x4c43f8 in PSOutputDev::postInit() /work/poppler_address/poppler/PSOutputDev.cc:1449
    #8 0x4c7fa2 in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /work/poppler_address/poppler/PSOutputDev.cc:3244
    #9 0x65e5dc in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler/Page.cc:539
    #10 0x65e897 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler/Page.cc:483
    #11 0x4519ac in main /work/poppler_address/utils/pdftops.cc:423
    #12 0x7fb603a0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x452c68 in _start (/work/poppler_address/build/utils/pdftops+0x452c68)

AddressSanitizer can not provide additional info.

We can see there is null pointer dereference vulnerability in function FoFiTrueType::getCFFBlock. Here is the snippet:

GBool FoFiTrueType::getCFFBlock(char **start, int *length) {
  int i;

  if (!openTypeCFF) {
    return gFalse;
  i = seekTable("CFF ");
  if (!checkRegion(tables[i].offset, tables[i].len)) {
    return gFalse;
  *start = (char *)file + tables[i].offset;
  *length = tables[i].len;
  return gTrue;

the problem is the variable tables.
The poc of pdf is attached.
Comment 1 Albert Astals Cid 2017-09-30 09:14:03 UTC
Fixed, thanks

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.