Segmentation fault caused by null pointer dereference in PNGWriter::~PNGWriter(), PNGWriter.cc:54
Hi, there.
There is a null pointer dereference in PNGWriter.cc:54, which causes a segmentation fault and may lead to denial of service in version 315ab300, version 22.09.0.
To reproduce, run
pdfimages -all POC /dev/null
Here is my environment:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"
Here is the call stack reported by ASAN:
ddressSanitizer:DEADLYSIGNAL
=================================================================
==3765741==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7fd429e3b09a bp 0xbebebebebebebebe sp 0x7fffc3da7270 T0)
==3765741==The signal is caused by a READ memory access.
==3765741==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x7fd429e3b09a in png_free_data (/lib/x86_64-linux-gnu/libpng16.so.16+0x609a)
#1 0x7fd429e3b6bc in png_destroy_info_struct (/lib/x86_64-linux-gnu/libpng16.so.16+0x66bc)
#2 0x7fd429e58b69 in png_destroy_write_struct (/lib/x86_64-linux-gnu/libpng16.so.16+0x23b69)
#3 0x7fd42a891752 in PNGWriter::~PNGWriter() /benchmark/poppler/goo/PNGWriter.cc:54:5
#4 0x7fd42a891752 in PNGWriter::~PNGWriter() /benchmark/poppler/goo/PNGWriter.cc:52:1
#5 0x504c21 in ImageOutputDev::writeImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool) /benchmark/poppler/utils/ImageOutputDev.cc
#6 0x50552c in ImageOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, Stream*, int, int, GfxImageColorMap*, bool) /benchmark/poppler/utils/ImageOutputDev.cc:730:9
#7 0x7fd42aaab230 in Gfx::doImage(Object*, Stream*, bool) /benchmark/poppler/poppler/Gfx.cc:4585:22
#8 0x7fd42aa61fae in Gfx::opXObject(Object*, int) /benchmark/poppler/poppler/Gfx.cc:4118:13
#9 0x7fd42aa88884 in Gfx::go(bool) /benchmark/poppler/poppler/Gfx.cc:684:13
#10 0x7fd42aa879bd in Gfx::display(Object*, bool) /benchmark/poppler/poppler/Gfx.cc:645:5
#11 0x7fd42abf9705 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /benchmark/poppler/poppler/Page.cc:575:14
#12 0x7fd42abf936e in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /benchmark/poppler/poppler/Page.cc:521:5
#13 0x7fd42ac0e554 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /benchmark/poppler/poppler/PDFDoc.cc:606:24
#14 0x7fd42ac0e554 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /benchmark/poppler/poppler/PDFDoc.cc:616:9
#15 0x4ff72b in main /benchmark/poppler/utils/pdfimages.cc:193:14
#16 0x7fd42a090082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#17 0x41e67d in _start ( /benchmark/poppler/build/utils/pdfimages+0x41e67d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libpng16.so.16+0x609a) in png_free_data
==3765741==ABORTING
Edited by Doudou Huang