Bug 101430 - Null dereference due to not checking return value of cairo_image_surface_get_data
Summary: Null dereference due to not checking return value of cairo_image_surface_get_...
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2017-06-14 22:06 UTC by foca@salesforce.com
Modified: 2018-08-21 10:45 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (3.98 KB, application/pdf)
2017-06-14 22:06 UTC, foca@salesforce.com

Description foca@salesforce.com 2017-06-14 22:06:25 UTC
Created attachment 131961 [details]
Proof of concept

There is a Null dereference bug due to not checking return value of a parsing function 'cairo_image_surface_get_data'. 

The function 'cairo_image_surface_get_data(source)' is supposed to return a pointer to the data of the image surface but it returns NULL if surface is not an image surface. Program should not continue as there is no image surface, but it does.

Function gets called and the pointer (in this case NULL) gets stored in source_data CairoOutputDev.cc:1831:

1830     /* convert to a luminocity map */
1831     uint32_t *source_data = (uint32_t*)cairo_image_surface_get_data(source);
1832     /* get stride in units of 32 bits */
1833     int stride = cairo_image_surface_get_stride(source)/4;
1834     for (int y=0; y<height; y++) {
1835       for (int x=0; x<width; x++) {
1836         int lum = alpha ? fill_opacity : luminocity(source_data[y*stride + x]);

When Alpha is false, which in this situation it is, luminocity is called with the location of source_data[0] at CairoOutputDev.cc:1836 (As x=0 and y=0 on the first run of the loop).

To fix this bug the code should check after line 1831 for source_data != NULL.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 GitLab Migration User 2018-08-21 10:45:25 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/355.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.