Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to crash. It triggers a NULL pointer dereference in JBIG2Bitmap::getSlice / JBIG2Bitmap::clearToZero.
More details copy-n-pasted from:
JBIG2Bitmap::getSlice() gets called with large values in wA/hA arguments:
It calls JBIG2Bitmap::JBIG2Bitmap():
which contains protection against integer overflow / under-allocation of the
data buffer, and leaves data set to NULL if integer overflow is detected.
JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which
does memset(data, ...), resulting in NULL pointer dereference crash.
Created attachment 35749 [details]
Fixed in 30ea3ab