101524 – NULL pointer dereference at JBIG2Stream.cc:1316

Bug 101524 - NULL pointer dereference at JBIG2Stream.cc:1316

Summary: NULL pointer dereference at JBIG2Stream.cc:1316

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-06-20 17:02 UTC by foca@salesforce.com
Modified:	2017-06-20 21:43 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Proof of concept (4.86 KB, application/pdf) 2017-06-20 17:02 UTC, foca@salesforce.com	Details
View All

Description foca@salesforce.com 2017-06-20 17:02:01 UTC

Created attachment 132094 [details]
Proof of concept

There is a NULL pointer dereference in JBIG2Stream.cc:1316:

1311	    n = (int)(dataEnd - dataPtr);
1312	  } else {
1313	    n = nChars;
1314	  }
1315	  for (i = 0; i < n; ++i) {
1316	    buffer[i] = *dataPtr++ ^ 0xff;  //NULL dereference
1317	  }
1318	  return n;
1319	}

dataPtr is NULL. dataPtr is set at:

1235 void JBIG2Stream::reset() {
....
1258   if (pageBitmap) {
1259     dataPtr = pageBitmap->getDataPtr();
1260     dataEnd = dataPtr + pageBitmap->getDataSize();
1261   } else {

But in some scenarios pageBitmap->getDataPtr() returns NULL. And there is no check to deal with that case.

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.