Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
P
poppler
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 612
    • Issues 612
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 39
    • Merge Requests 39
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #59

Closed
Open
Opened Jun 14, 2017 by Bugzilla Migration User@bugzilla-migration

Null pointer dereference in function getRow at CairoOutputDev.cc:3160

Submitted by foca@salesforce.com

Assigned to poppler-bugs

Link to original bug (#101431)

Description

Created attachment 131963 Proof of concept

Hi,

There is a null pointer dereference bug in the function getRow (CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL value returned by imgStr->getLine();

3122 void getRow(int row_num, uint32_t *row_data) override { 3123 int i; 3124 Guchar pix; 3125 3126 if (row_num <= current_row) 3127 return; 3128 3129 while (current_row < row_num) { 3130 pix = imgStr->getLine(); 3131 current_row++; 3132 } 3133 3134 if (unlikely(pix == NULL)) { 3135 memset(row_data, 0, width4); 3136 if (!imageError) { 3137 error(errInternal, -1, "Bad image stream"); 3138 imageError = gTrue; 3139 }

This scenario (pix == NULL) is checked later at the line 3134. But the execution isn't stopped so the lines 3160 are reached with pix holding a NULL pointer.

3156 if (maskColors) { 3157 for (int x = 0; x < width; x++) { 3158 bool is_opaque = false; 3159 for (int i = 0; i < colorMap->getNumPixelComps(); ++i) { 3160 if (pix[i] < maskColors[2i] || 3161 pix[i] > maskColors[2i+1]) { 3162 is_opaque = true; 3163 break; 3164 } 3165 }

A solution could be exiting the function after the error is detected at 3138.

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Attachment 131963, "Proof of concept":
PoC.pdf

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: poppler/poppler#59