Created attachment 131960 [details] Proof of concept No validation of returned value leads to null dereference. The vulnerability is at 'Annot.cc:5404' in the function 'AnnotScreen::initialize' Annot.cc 5403 action = LinkAction::parseAction(&obj1, doc->getCatalog()->getBaseURI()); 5404 if (action->getKind() == actionRendition && page == 0) { 5405 error (errSyntaxError, -1, "Invalid Rendition action: associated screen annotation without P"); 5406 delete action; 5407 action = NULL; 5408 ok = gFalse; 5409 } In 5403 action gets a NULL value when it should be a LinkJavaScript object, however the getKind method is called in 5404 without checking if action is valid (!= NULL). Prior to where the crash occurs, action is assigned a value: 5403 action = LinkAction::parseAction(&obj1, doc->getCatalog()->getBaseURI()); The line above calls the parseAction function with the object1 and a base URI that contains '0x7fffffffded0: "\020\337\377\377\377\177"' as baseURI which is not valid and so null is returned for action as shown below: Link.cc 133 // action is missing or wrong type 134 } else { 135 error(errSyntaxWarning, -1, "parseAction: Unknown annotation action object: URI = '{0:s}'", 136 baseURI ? baseURI->getCString() : "NULL"); 137 action = NULL; 138 } This could be fixed just checking for action != NULL after Annot.cc:5403 PoC is attached. This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Fixed, thanks for the report.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.