NULL pointer dereference in GfxState.cc:6127

Submitted by foca@salesforce.com

Assigned to poppler-bugs

Link to original bug (#101504)

Description

Created attachment 132068 Proof of concept

There is a NULL dereference in GfxState.cc:6127.

The function drawSoftMaskedImage calls getLine() at CairoOutputDev.cc:2710 which returns NULL, and stores that in pix. The value is than passed on to the getGrayLine function which tries to dereference it, resulting in a null dereference.

2708 for (y = 0; y < maskHeight; y++) { 2709 maskDest = (unsigned char *) (maskBuffer + y * row_stride); 2710 pix = maskImgStr->getLine(); 2711 maskColorMap->getGrayLine (pix, maskDest, maskWidth); 2712 }

The reason NULL is returned by getLine due to the following ImageStream::getLine

529 if (unlikely(inputLine == NULL)) { 530 return NULL; 531 }

At the point inp is set to whatever pix was( pix=in), in our case pix was NULL. On line 6127 the dereference takes place and poppler crashes trying to dereference a NULL pointer. 6123 default: 6124 inp = in; 6125 for (j = 0; j < length; j++) 6126 for (i = 0; i < nComps; i++) { 6127 *inp = byte_lookup[*inp * nComps + i]; 6128 inp++; 6129 }

A solution could be an additional check at CairoOutputDev.cc:2710 to check the line isn't NULL: 2710 pix = maskImgStr->getLine(); 2711 if (pix == NULL) continue; 2712 maskColorMap->getGrayLine (pix, maskDest, maskWidth);

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Attachment 132068, "Proof of concept":
PoC.pdf