Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P poppler
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 656
    • Issues 656
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 42
    • Merge requests 42
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #59

Closed
Open
Created Jun 14, 2017 by Bugzilla Migration User@bugzilla-migration

Null pointer dereference in function getRow at CairoOutputDev.cc:3160

Submitted by foca@salesforce.com

Assigned to poppler-bugs

Link to original bug (#101431)

Description

Created attachment 131963 Proof of concept

Hi,

There is a null pointer dereference bug in the function getRow (CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL value returned by imgStr->getLine();

3122 void getRow(int row_num, uint32_t *row_data) override { 3123 int i; 3124 Guchar pix; 3125 3126 if (row_num <= current_row) 3127 return; 3128 3129 while (current_row < row_num) { 3130 pix = imgStr->getLine(); 3131 current_row++; 3132 } 3133 3134 if (unlikely(pix == NULL)) { 3135 memset(row_data, 0, width4); 3136 if (!imageError) { 3137 error(errInternal, -1, "Bad image stream"); 3138 imageError = gTrue; 3139 }

This scenario (pix == NULL) is checked later at the line 3134. But the execution isn't stopped so the lines 3160 are reached with pix holding a NULL pointer.

3156 if (maskColors) { 3157 for (int x = 0; x < width; x++) { 3158 bool is_opaque = false; 3159 for (int i = 0; i < colorMap->getNumPixelComps(); ++i) { 3160 if (pix[i] < maskColors[2i] || 3161 pix[i] > maskColors[2i+1]) { 3162 is_opaque = true; 3163 break; 3164 } 3165 }

A solution could be exiting the function after the error is detected at 3138.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Attachment 131963, "Proof of concept":
PoC.pdf

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking