Bug 101430 - Null dereference due to not checking return value of cairo_image_surface_get_data
Summary: Null dereference due to not checking return value of cairo_image_surface_get_...
Status: NEW
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 22:06 UTC by foca@salesforce.com
Modified: 2017-06-14 22:06 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (3.98 KB, application/pdf)
2017-06-14 22:06 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-14 22:06:25 UTC
Created attachment 131961 [details]
Proof of concept

There is a Null dereference bug due to not checking return value of a parsing function 'cairo_image_surface_get_data'. 

The function 'cairo_image_surface_get_data(source)' is supposed to return a pointer to the data of the image surface but it returns NULL if surface is not an image surface. Program should not continue as there is no image surface, but it does.

Function gets called and the pointer (in this case NULL) gets stored in source_data CairoOutputDev.cc:1831:

1830     /* convert to a luminocity map */
1831     uint32_t *source_data = (uint32_t*)cairo_image_surface_get_data(source);
1832     /* get stride in units of 32 bits */
1833     int stride = cairo_image_surface_get_stride(source)/4;
1834     for (int y=0; y<height; y++) {
1835       for (int x=0; x<width; x++) {
1836         int lum = alpha ? fill_opacity : luminocity(source_data[y*stride + x]);

When Alpha is false, which in this situation it is, luminocity is called with the location of source_data[0] at CairoOutputDev.cc:1836 (As x=0 and y=0 on the first run of the loop).

To fix this bug the code should check after line 1831 for source_data != NULL.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.