Bug 101524 - NULL pointer dereference at JBIG2Stream.cc:1316
Summary: NULL pointer dereference at JBIG2Stream.cc:1316
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 17:02 UTC by foca@salesforce.com
Modified: 2017-06-20 21:43 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (4.86 KB, application/pdf)
2017-06-20 17:02 UTC, foca@salesforce.com
Details

Description foca@salesforce.com 2017-06-20 17:02:01 UTC
Created attachment 132094 [details]
Proof of concept

There is a NULL pointer dereference in JBIG2Stream.cc:1316:

1311	    n = (int)(dataEnd - dataPtr);
1312	  } else {
1313	    n = nChars;
1314	  }
1315	  for (i = 0; i < n; ++i) {
1316	    buffer[i] = *dataPtr++ ^ 0xff;  //NULL dereference
1317	  }
1318	  return n;
1319	}

dataPtr is NULL. dataPtr is set at:

1235 void JBIG2Stream::reset() {
....
1258   if (pageBitmap) {
1259     dataPtr = pageBitmap->getDataPtr();
1260     dataEnd = dataPtr + pageBitmap->getDataSize();
1261   } else {

But in some scenarios pageBitmap->getDataPtr() returns NULL. And there is no check to deal with that case.

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.