Bug 28806

Summary: poppler: missing readGenericBitmap return value check leads to NULL deref in JBIG2Bitmap::getSlice
Product: poppler Reporter: Tomas Hoger <thoger>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Reproducer

Description Tomas Hoger 2010-06-29 00:05:02 UTC
This is based on:
  https://bugs.launchpad.net/bugs/599454

JBIG2Stream::readPatternDictSeg calls readGenericBitmap() without checking its return value:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n2455

readGenericBitmap() can return NULL:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n2767

This leads to call to JBIG2Bitmap::getSlice with this == NULL:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n2465

leading to NULL deref crash.
Comment 1 Tomas Hoger 2010-06-29 00:06:07 UTC
Created attachment 36590 [details]
Reproducer

Local copy of reproducer form:
   https://bugs.launchpad.net/bugs/599454
Comment 2 Albert Astals Cid 2010-06-29 13:47:02 UTC
Thansk for the report, added a null check in there.
Comment 3 Tomas Hoger 2010-06-29 23:23:41 UTC
Thank you!

Commit link for future reference:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=16e15ac845
Comment 4 Tomas Hoger 2010-09-16 06:21:55 UTC
I believe this can be closed now.
Comment 5 Albert Astals Cid 2010-09-16 06:28:20 UTC
Wops, forgot to do it when i did the commit

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.