Created attachment 134397 [details]
POC file of the vulnerability

A NULL pointer dereference vulnerability was found in poppler 0.59.0 JPEG2000Stream.cc JPXStream::init() which may lead to potential attack when handling crafted PDF files:

gzq@ubuntu:~/mal$ /home/gzq/install/poppler/bin/pdftohtml -q mal-jpeg2000.pdf .
Segmentation fault

gzq@ubuntu:~/mal$ gdb -q /home/gzq/install/poppler/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler/bin/pdftohtml...done.
(gdb) r -q mal-jpeg2000.pdf 
Starting program: /home/gzq/install/poppler/bin/pdftohtml -q mal-jpeg2000.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555956134 in JPXStream::init (this=this@entry=0x555555d03aa0) at JPEG2000Stream.cc:229
229	    priv->npixels = priv->image->comps[0].w * priv->image->comps[0].h;
(gdb) bt
#0  0x0000555555956134 in JPXStream::init (this=this@entry=0x555555d03aa0) at JPEG2000Stream.cc:229
#1  0x0000555555957ce6 in JPXStream::getImageParams (this=0x555555d03aa0, bitsPerComponent=0x7fffffffd7b8, csMode=0x7fffffffd7bc) at JPEG2000Stream.cc:160
#2  0x00005555556dd507 in Gfx::doImage (this=this@entry=0x555555d00340, ref=ref@entry=0x7fffffffdea0, str=0x555555d03aa0, inlineImg=inlineImg@entry=false) at Gfx.cc:4191
#3  0x00005555556e45f2 in Gfx::opXObject (this=0x555555d00340, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4130
#4  0x00005555556cd16b in Gfx::go (this=this@entry=0x555555d00340, topLevel=topLevel@entry=true) at Gfx.cc:744
#5  0x00005555556cf3cd in Gfx::display (this=this@entry=0x555555d00340, obj=obj@entry=0x7fffffffe250, topLevel=topLevel@entry=true) at Gfx.cc:706
#6  0x00005555557a8e7f in Page::displaySlice (this=0x555555d007f0, out=0x555555cfd600, out@entry=0x0, hDPI=108, hDPI@entry=4.6355706591866836e-310, vDPI=108, vDPI@entry=-nan(0xfffffffffffff), rotate=0, rotate@entry=-1, useMediaBox=useMediaBox@entry=255, 
    crop=crop@entry=255, sliceX=sliceX@entry=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560
#7  0x00005555557a96c0 in Page::display (this=<optimized out>, out=out@entry=0x0, hDPI=hDPI@entry=4.6355706591866836e-310, vDPI=vDPI@entry=-nan(0xfffffffffffff), rotate=rotate@entry=-1, useMediaBox=useMediaBox@entry=255, crop=crop@entry=255, 
    printing=printing@entry=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:483
#8  0x00005555557b7b87 in PDFDoc::displayPage (this=this@entry=0x555555cfce70, out=0x0, out@entry=0x555555cfd600, page=page@entry=1, hDPI=4.6355706591866836e-310, hDPI@entry=108, vDPI=-nan(0xfffffffffffff), vDPI@entry=108, rotate=-1, rotate@entry=0, 
    useMediaBox=useMediaBox@entry=true, crop=crop@entry=false, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=false) at PDFDoc.cc:488
#9  0x00005555557b7d57 in PDFDoc::displayPages (this=0x555555cfce70, out=0x555555cfd600, firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0) at PDFDoc.cc:504
#10 0x00005555555b2a51 in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:390
(gdb) print priv
$1 = (JPXStreamPrivate *) 0x555555d03af0
(gdb) print priv->image
$2 = (opj_image_t *) 0x555555d04d70
(gdb) print priv->image->comps[0]
Cannot access memory at address 0x0
(gdb) print *priv->image
$3 = {x0 = 0, y0 = 0, x1 = 0, y1 = 0, numcomps = 0, color_space = CLRSPC_UNSPECIFIED, comps = 0x0, icc_profile_buf = 0x0, icc_profile_len = 0}
(gdb) 

The crafted pdf file has been attached to help to reproduce the issue.