Created attachment 131961 [details] Proof of concept There is a Null dereference bug due to not checking return value of a parsing function 'cairo_image_surface_get_data'. The function 'cairo_image_surface_get_data(source)' is supposed to return a pointer to the data of the image surface but it returns NULL if surface is not an image surface. Program should not continue as there is no image surface, but it does. Function gets called and the pointer (in this case NULL) gets stored in source_data CairoOutputDev.cc:1831: 1830 /* convert to a luminocity map */ 1831 uint32_t *source_data = (uint32_t*)cairo_image_surface_get_data(source); 1832 /* get stride in units of 32 bits */ 1833 int stride = cairo_image_surface_get_stride(source)/4; 1834 for (int y=0; y<height; y++) { 1835 for (int x=0; x<width; x++) { 1836 int lum = alpha ? fill_opacity : luminocity(source_data[y*stride + x]); When Alpha is false, which in this situation it is, luminocity is called with the location of source_data[0] at CairoOutputDev.cc:1836 (As x=0 and y=0 on the first run of the loop). To fix this bug the code should check after line 1831 for source_data != NULL. PoC is attached. This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/355.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.