Bug 101429 - No validation of returned value leads to null dereference at Annot.cc:5404
Summary: No validation of returned value leads to null dereference at Annot.cc:5404
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 21:39 UTC by foca@salesforce.com
Modified: 2017-06-17 10:19 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (8.50 KB, application/pdf)
2017-06-14 21:39 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-14 21:39:24 UTC
Created attachment 131960 [details]
Proof of concept

No validation of returned value leads to null dereference. The vulnerability is at 'Annot.cc:5404' in the function 'AnnotScreen::initialize'
Annot.cc
5403     action = LinkAction::parseAction(&obj1, doc->getCatalog()->getBaseURI());
5404     if (action->getKind() == actionRendition && page == 0) {
5405       error (errSyntaxError, -1, "Invalid Rendition action: associated screen annotation without P");
5406       delete action;
5407       action = NULL;
5408       ok = gFalse;
5409     }

In 5403 action gets a NULL value when it should be a LinkJavaScript object, however the getKind method is called in 5404 without checking if action is valid (!= NULL).

Prior to where the crash occurs, action is assigned a value:

5403        action = LinkAction::parseAction(&obj1, doc->getCatalog()->getBaseURI());

The line above calls the parseAction function with the object1 and a base URI that contains '0x7fffffffded0: "\020\337\377\377\377\177"' as baseURI which is not valid and so null is returned for action as shown below:

Link.cc
133   // action is missing or wrong type
134   } else {
135     error(errSyntaxWarning, -1, "parseAction: Unknown annotation action object: URI = '{0:s}'",
136           baseURI ? baseURI->getCString() : "NULL");
137     action = NULL;
138   }

This could be fixed just checking for action != NULL after Annot.cc:5403

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 Albert Astals Cid 2017-06-17 10:19:15 UTC
Fixed, thanks for the report.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.