Created attachment 132094 [details] Proof of concept There is a NULL pointer dereference in JBIG2Stream.cc:1316: 1311 n = (int)(dataEnd - dataPtr); 1312 } else { 1313 n = nChars; 1314 } 1315 for (i = 0; i < n; ++i) { 1316 buffer[i] = *dataPtr++ ^ 0xff; //NULL dereference 1317 } 1318 return n; 1319 } dataPtr is NULL. dataPtr is set at: 1235 void JBIG2Stream::reset() { .... 1258 if (pageBitmap) { 1259 dataPtr = pageBitmap->getDataPtr(); 1260 dataEnd = dataPtr + pageBitmap->getDataSize(); 1261 } else { But in some scenarios pageBitmap->getDataPtr() returns NULL. And there is no check to deal with that case. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.