Bug 101523 - NULL pointer dereference in GooString.cc:867
Summary: NULL pointer dereference in GooString.cc:867
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 16:53 UTC by foca@salesforce.com
Modified: 2017-06-20 21:38 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (16.54 KB, application/pdf)
2017-06-20 16:53 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-20 16:53:38 UTC
Created attachment 132093 [details]
Proof of concept

There is a NULL dereference parsing the attached PoC.pdf.

The NULL dereference happens in GooString.cc:867
863	int GooString::cmp(const char *sA) const {
864	  int n1, i, x;
865	  const char *p1, *p2;
866	
867	  n1 = length;

"this" is NULL so this->n1 at 867 generates the SIGSEGV. The reason this is null is because the previous function GfxCIDFont::getCodeToGIDMap in GfxFont.cc:2375 calls a method of a NULL object:

2373	  *mapsizep = 0;
2374	  if (!ctu) return NULL;
2375	  if (getCollection()->cmp("Adobe-Identity") == 0) return NULL;
2376	  if (getEmbeddedFontID(&embID)) {


Parsing the PoC.pdf getCollection() returns NULL but the method cmp is called.

The solution should be check for the return value before call cmp:
2375	  if (getCollection() == NULL || getCollection()->cmp("Adobe-Identity") == 0) return NULL;

PoC attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.