Created attachment 131963 [details] Proof of concept Hi, There is a null pointer dereference bug in the function getRow (CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL value returned by imgStr->getLine(); 3122 void getRow(int row_num, uint32_t *row_data) override { 3123 int i; 3124 Guchar *pix; 3125 3126 if (row_num <= current_row) 3127 return; 3128 3129 while (current_row < row_num) { 3130 pix = imgStr->getLine(); 3131 current_row++; 3132 } 3133 3134 if (unlikely(pix == NULL)) { 3135 memset(row_data, 0, width*4); 3136 if (!imageError) { 3137 error(errInternal, -1, "Bad image stream"); 3138 imageError = gTrue; 3139 } This scenario (pix == NULL) is checked later at the line 3134. But the execution isn't stopped so the lines 3160 are reached with pix holding a NULL pointer. 3156 if (maskColors) { 3157 for (int x = 0; x < width; x++) { 3158 bool is_opaque = false; 3159 for (int i = 0; i < colorMap->getNumPixelComps(); ++i) { 3160 if (pix[i] < maskColors[2*i] || 3161 pix[i] > maskColors[2*i+1]) { 3162 is_opaque = true; 3163 break; 3164 } 3165 } A solution could be exiting the function after the error is detected at 3138. PoC is attached. This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/59.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.