Created attachment 134397 [details] POC file of the vulnerability A NULL pointer dereference vulnerability was found in poppler 0.59.0 JPEG2000Stream.cc JPXStream::init() which may lead to potential attack when handling crafted PDF files: gzq@ubuntu:~/mal$ /home/gzq/install/poppler/bin/pdftohtml -q mal-jpeg2000.pdf . Segmentation fault gzq@ubuntu:~/mal$ gdb -q /home/gzq/install/poppler/bin/pdftohtml Reading symbols from /home/gzq/install/poppler/bin/pdftohtml...done. (gdb) r -q mal-jpeg2000.pdf Starting program: /home/gzq/install/poppler/bin/pdftohtml -q mal-jpeg2000.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x0000555555956134 in JPXStream::init (this=this@entry=0x555555d03aa0) at JPEG2000Stream.cc:229 229 priv->npixels = priv->image->comps[0].w * priv->image->comps[0].h; (gdb) bt #0 0x0000555555956134 in JPXStream::init (this=this@entry=0x555555d03aa0) at JPEG2000Stream.cc:229 #1 0x0000555555957ce6 in JPXStream::getImageParams (this=0x555555d03aa0, bitsPerComponent=0x7fffffffd7b8, csMode=0x7fffffffd7bc) at JPEG2000Stream.cc:160 #2 0x00005555556dd507 in Gfx::doImage (this=this@entry=0x555555d00340, ref=ref@entry=0x7fffffffdea0, str=0x555555d03aa0, inlineImg=inlineImg@entry=false) at Gfx.cc:4191 #3 0x00005555556e45f2 in Gfx::opXObject (this=0x555555d00340, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4130 #4 0x00005555556cd16b in Gfx::go (this=this@entry=0x555555d00340, topLevel=topLevel@entry=true) at Gfx.cc:744 #5 0x00005555556cf3cd in Gfx::display (this=this@entry=0x555555d00340, obj=obj@entry=0x7fffffffe250, topLevel=topLevel@entry=true) at Gfx.cc:706 #6 0x00005555557a8e7f in Page::displaySlice (this=0x555555d007f0, out=0x555555cfd600, out@entry=0x0, hDPI=108, hDPI@entry=4.6355706591866836e-310, vDPI=108, vDPI@entry=-nan(0xfffffffffffff), rotate=0, rotate@entry=-1, useMediaBox=useMediaBox@entry=255, crop=crop@entry=255, sliceX=sliceX@entry=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560 #7 0x00005555557a96c0 in Page::display (this=<optimized out>, out=out@entry=0x0, hDPI=hDPI@entry=4.6355706591866836e-310, vDPI=vDPI@entry=-nan(0xfffffffffffff), rotate=rotate@entry=-1, useMediaBox=useMediaBox@entry=255, crop=crop@entry=255, printing=printing@entry=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:483 #8 0x00005555557b7b87 in PDFDoc::displayPage (this=this@entry=0x555555cfce70, out=0x0, out@entry=0x555555cfd600, page=page@entry=1, hDPI=4.6355706591866836e-310, hDPI@entry=108, vDPI=-nan(0xfffffffffffff), vDPI@entry=108, rotate=-1, rotate@entry=0, useMediaBox=useMediaBox@entry=true, crop=crop@entry=false, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=false) at PDFDoc.cc:488 #9 0x00005555557b7d57 in PDFDoc::displayPages (this=0x555555cfce70, out=0x555555cfd600, firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:504 #10 0x00005555555b2a51 in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:390 (gdb) print priv $1 = (JPXStreamPrivate *) 0x555555d03af0 (gdb) print priv->image $2 = (opj_image_t *) 0x555555d04d70 (gdb) print priv->image->comps[0] Cannot access memory at address 0x0 (gdb) print *priv->image $3 = {x0 = 0, y0 = 0, x1 = 0, y1 = 0, numcomps = 0, color_space = CLRSPC_UNSPECIFIED, comps = 0x0, icc_profile_buf = 0x0, icc_profile_len = 0} (gdb) The crafted pdf file has been attached to help to reproduce the issue.
Please use openjpeg2 and not openjpeg1, we're removing openjpeg1 support in december and i can't reproduce this problem with openjpeg2
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.