Bug 101504 - NULL pointer dereference in GfxState.cc:6127
Summary: NULL pointer dereference in GfxState.cc:6127
Status: NEW
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2017-06-19 17:57 UTC by foca@salesforce.com
Modified: 2017-06-19 21:54 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (6.60 KB, application/pdf)
2017-06-19 17:57 UTC, foca@salesforce.com

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-19 17:57:34 UTC
Created attachment 132068 [details]
Proof of concept

There is a NULL dereference in GfxState.cc:6127.

The function drawSoftMaskedImage calls getLine() at CairoOutputDev.cc:2710 which returns NULL, and stores that in pix. The value is than passed on to the getGrayLine function which tries to dereference it, resulting in a null dereference. 

2708   for (y = 0; y < maskHeight; y++) {
2709     maskDest = (unsigned char *) (maskBuffer + y * row_stride);
2710     pix = maskImgStr->getLine();
2711     maskColorMap->getGrayLine (pix, maskDest, maskWidth);
2712   }

The reason NULL is returned  by getLine due to the following

 529   if (unlikely(inputLine == NULL)) {
 530       return NULL;
 531   }

At the point inp is set to whatever pix was( pix=in), in our case pix was NULL. On line 6127 the dereference takes place and poppler crashes trying to dereference a NULL pointer.
6123   default:
6124     inp = in;
6125     for (j = 0; j < length; j++)
6126       for (i = 0; i < nComps; i++) {
6127         *inp = byte_lookup[*inp * nComps + i];
6128         inp++;
6129       }

A solution could be an additional check at CairoOutputDev.cc:2710 to check the line isn't NULL:
2710     pix = maskImgStr->getLine();
2711     if (pix == NULL) continue;
2712     maskColorMap->getGrayLine (pix, maskDest, maskWidth);

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 foca@salesforce.com 2017-06-19 18:05:11 UTC
There is a similar bug at CairoOutputDev.cc:2598:

2596   for (y = 0; y < height; y++) {
2597     dest = (unsigned int *) (buffer + y * row_stride);
2598     pix = imgStr->getLine();
2599     colorMap->getRGBLine (pix, dest, width);
2600   }

The returned value for getLine is not validated. And in some scenarios this value is NULL, so a NULL pointer dereference happens and poppler crashes.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.