Created attachment 132095 [details] Proof of concept There is a NULL pointer dereference in JBIG2Stream.cc:689: 688 { return (x < 0 || x >= w || y < 0 || y >= h) ? 0 : 689 (data[y * line + (x >> 3)] >> (7 - (x & 7))) & 1; } Parsing the attached PoC.pdf the variable data is NULL and the NULL pointer dereference happens. This function is called from JBIG2Bitmap::getSlice: 759 JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) { 760 JBIG2Bitmap *slice; 761 Guint xx, yy; 762 763 slice = new JBIG2Bitmap(0, wA, hA); 764 if (slice->isOk()) { 765 slice->clearToZero(); 766 for (yy = 0; yy < hA; ++yy) { 767 for (xx = 0; xx < wA; ++xx) { 768 if (getPixel(x + xx, y + yy)) { The problem is the this->data is NULL but the slice->data is valid because it was created with valid wA and hA values. Then the slice->isOk() return True, and the this->data is used inside the getPixel. A solution could be to check for data != NULL at line 764: 764 if (data != NULL && slice->isOk()) { A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.