Bug 101525 - NULL pointer dereference in JBIG2Stream.cc:689
Summary: NULL pointer dereference in JBIG2Stream.cc:689
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 17:37 UTC by foca@salesforce.com
Modified: 2017-06-20 21:51 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (1.08 KB, application/pdf)
2017-06-20 17:37 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-20 17:37:29 UTC
Created attachment 132095 [details]
Proof of concept

There is a NULL pointer dereference in JBIG2Stream.cc:689:

688	    { return (x < 0 || x >= w || y < 0 || y >= h) ? 0 :
689	             (data[y * line + (x >> 3)] >> (7 - (x & 7))) & 1; }

Parsing the attached PoC.pdf the variable data is NULL and the NULL pointer dereference happens.

This function is called from JBIG2Bitmap::getSlice:
759	JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
760	  JBIG2Bitmap *slice;
761	  Guint xx, yy;
762	
763	  slice = new JBIG2Bitmap(0, wA, hA);
764	  if (slice->isOk()) {
765	    slice->clearToZero();
766	    for (yy = 0; yy < hA; ++yy) {
767	      for (xx = 0; xx < wA; ++xx) {
768	        if (getPixel(x + xx, y + yy)) {

The problem is the this->data is NULL but the slice->data is valid because it was created with valid wA and hA values. Then the slice->isOk() return True, and the this->data is used inside the getPixel.

A solution could be to check for data != NULL at line 764:
764	  if (data != NULL && slice->isOk()) {

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.