28806 – poppler: missing readGenericBitmap return value check leads to NULL deref in JBIG2Bitmap::getSlice

Bug 28806 - poppler: missing readGenericBitmap return value check leads to NULL deref in JBIG2Bitmap::getSlice

Summary: poppler: missing readGenericBitmap return value check leads to NULL deref in ...

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-06-29 00:05 UTC by Tomas Hoger
Modified:	2010-09-16 06:28 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Reproducer (13.64 KB, application/x-gzip) 2010-06-29 00:06 UTC, Tomas Hoger	Details
View All

Description Tomas Hoger 2010-06-29 00:05:02 UTC

This is based on:
  https://bugs.launchpad.net/bugs/599454

JBIG2Stream::readPatternDictSeg calls readGenericBitmap() without checking its return value:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n2455

readGenericBitmap() can return NULL:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n2767

This leads to call to JBIG2Bitmap::getSlice with this == NULL:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n2465

leading to NULL deref crash.

Comment 1 Tomas Hoger 2010-06-29 00:06:07 UTC

Created attachment 36590 [details]
Reproducer

Local copy of reproducer form:
   https://bugs.launchpad.net/bugs/599454

Comment 2 Albert Astals Cid 2010-06-29 13:47:02 UTC

Thansk for the report, added a null check in there.

Comment 3 Tomas Hoger 2010-06-29 23:23:41 UTC

Thank you!

Commit link for future reference:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=16e15ac845

Comment 4 Tomas Hoger 2010-09-16 06:21:55 UTC

I believe this can be closed now.

Comment 5 Albert Astals Cid 2010-09-16 06:28:20 UTC

Wops, forgot to do it when i did the commit

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.