101153 – [pdfunite] crash when parsing a crafted pdf due to null pointer deference in ~/utils/pdfunite.cc:276

Bug 101153 - [pdfunite] crash when parsing a crafted pdf due to null pointer deference in ~/utils/pdfunite.cc:276

Summary: [pdfunite] crash when parsing a crafted pdf due to null pointer deference in ...

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	utils (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) FreeBSD

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-05-23 10:39 UTC by Jiaqi Peng
Modified:	2017-05-26 22:10 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Jiaqi Peng 2017-05-23 10:39:49 UTC

## Summary
pdfunite util in poppler-0.55.0 will crash when parsing a crafted pdf file due to null pointer deference in main()@~/utils/pdfunite.cc:276
ps: this issue is similar to https://bugs.freedesktop.org/show_bug.cgi?id=101149, but crashes in different location and needs a different patch.


## Reprocude
openstack@openstack-virtual-machine:~/pjq/poppler-0.55.0/build-gcc/utils$ ./pdfunite null_pointer_deference_poc_276.pdf 1.pdf
Internal Error: xref num 17 not found but needed, try to reconstruct<0a>
Syntax Error: Kid object (page 1) is wrong type (null)
Segmentation fault


## Crash Stack
Program received signal SIGSEGV, Segmentation fault.
0x000000000041acbb in main (argc=3, argv=<optimized out>) at ../../utils/pdfunite.cc:276
276           docs[0]->markPageObjects(ocObj.getDict(), yRef, countRef, 0, refPage->num, refPage->num);
(gdb) bt
#0  0x000000000041acbb in main (argc=3, argv=<optimized out>) at ../../utils/pdfunite.cc:276


## Analysis
in ~/utils/pdfunite.cc:276
270     Ref *refPage = docs[0]->getCatalog()->getPageRef(1);
271     if (!afObj.isNull()) {
272       docs[0]->markAcroForm(&afObj, yRef, countRef, 0, refPage->num, refPage->num);
273     }
274     catDict->lookupNF("OCProperties", &ocObj);
275     if (!ocObj.isNull() && ocObj.isDict()) {
276       docs[0]->markPageObjects(ocObj.getDict(), yRef, countRef, 0, refPage->num, refPage->num);
277     }

(gdb) p refPage
$1 = (Ref *) 0x0

Here, the last two arguments of markPageObjects() are both refPage->num;
but refPage=0, causing null pointer deference.

refPage comes from line 270 by docs[0]->getCatalog()->getPageRef(1);
but function Catalog::getPageRef() may return NULL (as below):

in ~/poppler/Catalog.cc:257
 249 Ref *Catalog::getPageRef(int i)
 250 {
 251   if (i < 1) return NULL;
 252 
 253   catalogLocker();
 254   if (i > lastCachedPage) {
 255      GBool cached = cachePageTree(i);
 256      if ( cached == gFalse) {
 257        return NULL;
 258      }
 259   }
 260   return &pageRefs[i-1];
 261 }


## Patch
In ~/utils/pdfunite.cc, before refPage->num, first check the value refPage in line270 is zero or not.


## Author
name: Jiaqi Peng
email: pjqruc@gmail.com (if you need poc, contact me via email)

Comment 1 Albert Astals Cid 2017-05-23 19:22:42 UTC

Please provide the file

Comment 2 Albert Astals Cid 2017-05-26 22:10:50 UTC

Fixed, thanks

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.