Bug 101504 - NULL pointer dereference in GfxState.cc:6127
Summary: NULL pointer dereference in GfxState.cc:6127
Status: NEW
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2017-06-19 17:57 UTC by foca@salesforce.com
Modified: 2017-06-19 21:54 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (6.60 KB, application/pdf)
2017-06-19 17:57 UTC, foca@salesforce.com

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-19 17:57:34 UTC
Created attachment 132068 [details]
Proof of concept

There is a NULL dereference in GfxState.cc:6127.

The function drawSoftMaskedImage calls getLine() at CairoOutputDev.cc:2710 which returns NULL, and stores that in pix. The value is than passed on to the getGrayLine function which tries to dereference it, resulting in a null dereference. 

2708   for (y = 0; y < maskHeight; y++) {
2709     maskDest = (unsigned char *) (maskBuffer + y * row_stride);
2710     pix = maskImgStr->getLine();
2711     maskColorMap->getGrayLine (pix, maskDest, maskWidth);
2712   }

The reason NULL is returned  by getLine due to the following

 529   if (unlikely(inputLine == NULL)) {
 530       return NULL;
 531   }

At the point inp is set to whatever pix was( pix=in), in our case pix was NULL. On line 6127 the dereference takes place and poppler crashes trying to dereference a NULL pointer.
6123   default:
6124     inp = in;
6125     for (j = 0; j < length; j++)
6126       for (i = 0; i < nComps; i++) {
6127         *inp = byte_lookup[*inp * nComps + i];
6128         inp++;
6129       }

A solution could be an additional check at CairoOutputDev.cc:2710 to check the line isn't NULL:
2710     pix = maskImgStr->getLine();
2711     if (pix == NULL) continue;
2712     maskColorMap->getGrayLine (pix, maskDest, maskWidth);

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 foca@salesforce.com 2017-06-19 18:05:11 UTC
There is a similar bug at CairoOutputDev.cc:2598:

2596   for (y = 0; y < height; y++) {
2597     dest = (unsigned int *) (buffer + y * row_stride);
2598     pix = imgStr->getLine();
2599     colorMap->getRGBLine (pix, dest, width);
2600   }

The returned value for getLine is not validated. And in some scenarios this value is NULL, so a NULL pointer dereference happens and poppler crashes.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.