Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P poppler
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 664
    • Issues 664
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 46
    • Merge requests 46
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #498
Closed
Open
Issue created Jun 19, 2017 by Bugzilla Migration User@bugzilla-migration

NULL pointer dereference in GfxState.cc:6127

Submitted by foca@salesforce.com

Assigned to poppler-bugs

Link to original bug (#101504)

Description

Created attachment 132068 Proof of concept

There is a NULL dereference in GfxState.cc:6127.

The function drawSoftMaskedImage calls getLine() at CairoOutputDev.cc:2710 which returns NULL, and stores that in pix. The value is than passed on to the getGrayLine function which tries to dereference it, resulting in a null dereference.

2708 for (y = 0; y < maskHeight; y++) { 2709 maskDest = (unsigned char *) (maskBuffer + y * row_stride); 2710 pix = maskImgStr->getLine(); 2711 maskColorMap->getGrayLine (pix, maskDest, maskWidth); 2712 }

The reason NULL is returned by getLine due to the following ImageStream::getLine

529 if (unlikely(inputLine == NULL)) { 530 return NULL; 531 }

At the point inp is set to whatever pix was( pix=in), in our case pix was NULL. On line 6127 the dereference takes place and poppler crashes trying to dereference a NULL pointer. 6123 default: 6124 inp = in; 6125 for (j = 0; j < length; j++) 6126 for (i = 0; i < nComps; i++) { 6127 *inp = byte_lookup[*inp * nComps + i]; 6128 inp++; 6129 }

A solution could be an additional check at CairoOutputDev.cc:2710 to check the line isn't NULL: 2710 pix = maskImgStr->getLine(); 2711 if (pix == NULL) continue; 2712 maskColorMap->getGrayLine (pix, maskDest, maskWidth);

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Attachment 132068, "Proof of concept":
PoC.pdf

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking