NULL pointer dereference in GfxState.cc:6127
Submitted by foca@salesforce.com
Assigned to poppler-bugs
Link to original bug (#101504)
Description
Created attachment 132068 Proof of concept
There is a NULL dereference in GfxState.cc:6127.
The function drawSoftMaskedImage calls getLine() at CairoOutputDev.cc:2710 which returns NULL, and stores that in pix. The value is than passed on to the getGrayLine function which tries to dereference it, resulting in a null dereference.
2708 for (y = 0; y < maskHeight; y++) { 2709 maskDest = (unsigned char *) (maskBuffer + y * row_stride); 2710 pix = maskImgStr->getLine(); 2711 maskColorMap->getGrayLine (pix, maskDest, maskWidth); 2712 }
The reason NULL is returned by getLine due to the following
ImageStream::getLine
529 if (unlikely(inputLine == NULL)) { 530 return NULL; 531 }
At the point inp is set to whatever pix was( pix=in), in our case pix was NULL. On line 6127 the dereference takes place and poppler crashes trying to dereference a NULL pointer. 6123 default: 6124 inp = in; 6125 for (j = 0; j < length; j++) 6126 for (i = 0; i < nComps; i++) { 6127 *inp = byte_lookup[*inp * nComps + i]; 6128 inp++; 6129 }
A solution could be an additional check at CairoOutputDev.cc:2710 to check the line isn't NULL: 2710 pix = maskImgStr->getLine(); 2711 if (pix == NULL) continue; 2712 maskColorMap->getGrayLine (pix, maskDest, maskWidth);
PoC is attached.
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Attachment 132068, "Proof of concept":
PoC.pdf