Bug 101431 - Null pointer dereference in function getRow at CairoOutputDev.cc:3160
Summary: Null pointer dereference in function getRow at CairoOutputDev.cc:3160
Status: NEW
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 22:46 UTC by foca@salesforce.com
Modified: 2017-06-14 22:46 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (6.69 KB, application/pdf)
2017-06-14 22:46 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-14 22:46:34 UTC
Created attachment 131963 [details]
Proof of concept

Hi, 

There is a null pointer dereference bug in the function getRow (CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL value returned by imgStr->getLine();

3122   void getRow(int row_num, uint32_t *row_data) override {
3123     int i;
3124     Guchar *pix;
3125 
3126     if (row_num <= current_row)
3127       return;
3128 
3129     while (current_row  < row_num) {
3130       pix = imgStr->getLine();
3131       current_row++;
3132     }
3133 
3134     if (unlikely(pix == NULL)) {
3135       memset(row_data, 0, width*4);
3136       if (!imageError) {
3137         error(errInternal, -1, "Bad image stream");
3138         imageError = gTrue;
3139       }


This scenario (pix == NULL) is checked later at the line 3134. But the execution isn't stopped so the lines 3160 are reached with pix holding a NULL pointer.

3156     if (maskColors) {
3157       for (int x = 0; x < width; x++) {
3158         bool is_opaque = false;
3159         for (int i = 0; i < colorMap->getNumPixelComps(); ++i) {
3160           if (pix[i] < maskColors[2*i] ||
3161               pix[i] > maskColors[2*i+1]) {
3162             is_opaque = true;
3163             break;
3164           }
3165         }

A solution could be exiting the function after the error is detected at 3138.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.