Bug 28170 - poppler: JBIG2Bitmap::getSlice NULL pointer dereference
Summary: poppler: JBIG2Bitmap::getSlice NULL pointer dereference
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-19 02:20 UTC by Tomas Hoger
Modified: 2010-05-25 15:48 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Reproducer (77.17 KB, application/pdf)
2010-05-19 02:21 UTC, Tomas Hoger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tomas Hoger 2010-05-19 02:20:50 UTC
Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to crash.  It triggers a NULL pointer dereference in JBIG2Bitmap::getSlice / JBIG2Bitmap::clearToZero.

More details copy-n-pasted from:
  https://bugzilla.redhat.com/show_bug.cgi?id=580105#c16

JBIG2Bitmap::getSlice() gets called with large values in wA/hA arguments:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n740

It calls JBIG2Bitmap::JBIG2Bitmap():

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n700

which contains protection against integer overflow / under-allocation of the
data[] buffer, and leaves data set to NULL if integer overflow is detected.

JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which
does memset(data, ...), resulting in NULL pointer dereference crash.
Comment 1 Tomas Hoger 2010-05-19 02:21:54 UTC
Created attachment 35749 [details]
Reproducer

Source: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/537331
Comment 2 Albert Astals Cid 2010-05-25 15:09:41 UTC
Fixed in 30ea3ab


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.