Bug 101505 - NULL pointer dereference in GooString.h:121
Summary: NULL pointer dereference in GooString.h:121
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2017-06-19 19:50 UTC by foca@salesforce.com
Modified: 2017-06-19 21:45 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (14.81 KB, application/pdf)
2017-06-19 19:50 UTC, foca@salesforce.com

Description foca@salesforce.com 2017-06-19 19:50:11 UTC
Created attachment 132070 [details]
Proof of concept

There is a NULL pointer dereference. 

The SIGSEGV happens in GooString.h:121:
121	  char *getCString() { return s; }

But the problem comes from GfxFont.cc:826:
825	  //----- CID font substitution
826	  if ((path = globalParams->findCCFontFile(
827					((GfxCIDFont *)this)->getCollection()))) {
828	    if ((fontLoc = getExternalFont(path, gTrue))) {

((GfxCIDFont *)this)->getCollection()) return NULL, and this is not checked in this function or in any of the following functions until the NULL dereference happens at getCString:
#0  0x000000000040b480 in GooString::getCString (this=0x0) at ../goo/GooString.h:121
#1  0x00000000004a67c9 in GooHash::hash (this=0x7fc350, key=0x0) at GooHash.cc:369
#2  0x00000000004a66b5 in GooHash::find (this=0x7fc350, key=0x0, h=0x7fffffffd414) at GooHash.cc:342
#3  0x00000000004a5e21 in GooHash::lookup (this=0x7fc350, key=0x0) at GooHash.cc:136

A possible solution is to verify that the returned value of getCollection is != NULL:
826	  if (((GfxCIDFont *)this)->getCollection() != NULL && (path = globalParams->findCCFontFile(
827					((GfxCIDFont *)this)->getCollection()))) {

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.