Bug 103016 - NULL pointer dereference vulnerability in poppler 0.59.0 GfxState.cc
Summary: NULL pointer dereference vulnerability in poppler 0.59.0 GfxState.cc
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All All
: medium major
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-28 02:00 UTC by Ziqiang Gu
Modified: 2017-10-12 22:56 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
POC file of the vulnerability (25.86 KB, application/pdf)
2017-09-28 02:00 UTC, Ziqiang Gu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ziqiang Gu 2017-09-28 02:00:59 UTC
Created attachment 134518 [details]
POC file of the vulnerability

In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document. Attackers may exploit this vulnerability by persuading users to open crafted PDF files.

GDB track is as follow:

gzq@ubuntu:~/fuzz/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftocairo
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftocairo...done.
(gdb) r -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf 
Starting program: /home/gzq/install/poppler-dev/bin/pdftocairo -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Bogus memory allocation size

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>, in=<optimized out>, out=<optimized out>, length=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
5933		*inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0  0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>, in=<optimized out>, out=<optimized out>, length=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
#1  0x000000000042542b in CairoOutputDev::drawSoftMaskedImage (this=<optimized out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>, width=<optimized out>, height=<optimized out>, colorMap=0x14b, interpolate=<optimized out>, maskStr=<optimized out>, 
    maskWidth=<optimized out>, maskHeight=<optimized out>, maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/CairoOutputDev.cc:2717
#2  0x00007ffff72abd4c in Gfx::doImage (this=<optimized out>, ref=<optimized out>, str=<optimized out>, inlineImg=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4596
#3  0x00007ffff727444b in Gfx::opXObject (this=0x68fd00, args=<optimized out>, numArgs=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4173
#4  0x00007ffff7295587 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:886
#5  0x00007ffff729391d in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:750
#6  0x00007ffff7292fb5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:712
#7  0x00007ffff73a347e in Page::displaySlice (this=<optimized out>, out=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=-1, sliceY=<optimized out>, sliceW=<optimized out>, 
    sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/gzq/work/sourcecode/poppler/poppler/Page.cc:560
#8  0x00007ffff73b0641 in PDFDoc::displayPageSlice (this=0x68bd00, out=0x68cdb0, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=false, crop=false, printing=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, 
    sliceW=<optimized out>, sliceH=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/gzq/work/sourcecode/poppler/poppler/PDFDoc.cc:517
#9  0x0000000000411e8d in renderPage (doc=0x68bd00, cairoOut=<optimized out>, pg=<optimized out>, page_w=<optimized out>, page_h=<optimized out>, output_w=<optimized out>, output_h=<optimized out>) at /home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:728
#10 main (argc=<optimized out>, argv=<optimized out>) at /home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:1268
(gdb)

The POC file has been attached to reproduce this issue.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.