Created attachment 132068 [details] Proof of concept There is a NULL dereference in GfxState.cc:6127. The function drawSoftMaskedImage calls getLine() at CairoOutputDev.cc:2710 which returns NULL, and stores that in pix. The value is than passed on to the getGrayLine function which tries to dereference it, resulting in a null dereference. 2708 for (y = 0; y < maskHeight; y++) { 2709 maskDest = (unsigned char *) (maskBuffer + y * row_stride); 2710 pix = maskImgStr->getLine(); 2711 maskColorMap->getGrayLine (pix, maskDest, maskWidth); 2712 } The reason NULL is returned by getLine due to the following `ImageStream::getLine` 529 if (unlikely(inputLine == NULL)) { 530 return NULL; 531 } At the point inp is set to whatever pix was( pix=in), in our case pix was NULL. On line 6127 the dereference takes place and poppler crashes trying to dereference a NULL pointer. 6123 default: 6124 inp = in; 6125 for (j = 0; j < length; j++) 6126 for (i = 0; i < nComps; i++) { 6127 *inp = byte_lookup[*inp * nComps + i]; 6128 inp++; 6129 } A solution could be an additional check at CairoOutputDev.cc:2710 to check the line isn't NULL: 2710 pix = maskImgStr->getLine(); 2711 if (pix == NULL) continue; 2712 maskColorMap->getGrayLine (pix, maskDest, maskWidth); PoC is attached. This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
There is a similar bug at CairoOutputDev.cc:2598: 2596 for (y = 0; y < height; y++) { 2597 dest = (unsigned int *) (buffer + y * row_stride); 2598 pix = imgStr->getLine(); 2599 colorMap->getRGBLine (pix, dest, width); 2600 } The returned value for getLine is not validated. And in some scenarios this value is NULL, so a NULL pointer dereference happens and poppler crashes.
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/498.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.