Created attachment 132093 [details] Proof of concept There is a NULL dereference parsing the attached PoC.pdf. The NULL dereference happens in GooString.cc:867 863 int GooString::cmp(const char *sA) const { 864 int n1, i, x; 865 const char *p1, *p2; 866 867 n1 = length; "this" is NULL so this->n1 at 867 generates the SIGSEGV. The reason this is null is because the previous function GfxCIDFont::getCodeToGIDMap in GfxFont.cc:2375 calls a method of a NULL object: 2373 *mapsizep = 0; 2374 if (!ctu) return NULL; 2375 if (getCollection()->cmp("Adobe-Identity") == 0) return NULL; 2376 if (getEmbeddedFontID(&embID)) { Parsing the PoC.pdf getCollection() returns NULL but the method cmp is called. The solution should be check for the return value before call cmp: 2375 if (getCollection() == NULL || getCollection()->cmp("Adobe-Identity") == 0) return NULL; PoC attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.