Bug 106408 (CVE-2018-10768)

Summary: NULL pointer dereference in AnnotPath::getCoordsLength of poppler 0.24.5
Product: poppler Reporter: chenyuan <bugzilla.freedesktop>
Component: pdftohtmlAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86 (IA32)   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: poc

Description chenyuan 2018-05-05 09:51:40 UTC
Created attachment 139367 [details]
poc

There is a null pointer dereference in libpoppler 0.24.5 on ubuntu 14.04.5. 

How to reproduce?

On Ubuntu 14.04.5 32bit:
$ apt-get source libpoppler44:i386
$ apt-get install autoconf
$ cd poppler-0.24.5
$ ./configure --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb"
$ make
$ gdb utils/pdftohtml
(gdb) set args ./POC_poppler.pdf

Starting program: poppler-0.24.5/utils/pdftohtml POC_poppler.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: Bad Annot Path
Syntax Error: Bad Annot Path

Program received signal SIGSEGV, Segmentation fault.
0x080c76c2 in AnnotPath::getCoordsLength (this=0x0) at Annot.h:109
109	  int getCoordsLength() const { return coordsLength; }
(gdb) bt
#0  0x080c76c2 in AnnotPath::getCoordsLength (this=0x0) at Annot.h:109
#1  0x080c02f3 in AnnotInk::draw (this=0xb611a3e0, gfx=0xb3503e40, 
    printing=false) at Annot.cc:6059
#2  0x0819c3a1 in Page::displaySlice (this=0xb2f03370, out=0xb3b03060, 
    hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, sliceX=-1, 
    sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:605
#3  0x0819b7ea in Page::display (this=0xb2f03370, out=0xb3b03060, hDPI=108, 
    vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, 
    abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:506
#4  0x081a2a85 in PDFDoc::displayPage (this=0xb3f01fa0, out=0xb3b03060, 
    page=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
    at PDFDoc.cc:464
#5  0x081a2b3d in PDFDoc::displayPages (this=0xb3f01fa0, out=0xb3b03060, 
    firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, 
    crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:480
#6  0x0804cce7 in main (argc=2, argv=0xbffff0d4) at pdftohtml.cc:387
Comment 1 chenyuan 2018-05-05 09:53:35 UTC
This issue was already fixed in higher version like 0.41 (ubuntu16.04)
Comment 2 carnil 2018-05-09 19:31:25 UTC
This issue was AFAICS already fixed in poppler-0.37 with https://cgit.freedesktop.org/poppler/poppler/commit/?id=942adfc25e7a00ac3cf032ced2d8949e99099f70

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.