Null pointer dereference in function getRow at CairoOutputDev.cc:3160
foca@salesforce.com
Submitted byAssigned to poppler-bugs
Link to original bug (#101431)
Description
Created attachment 131963 Proof of concept
Hi,
There is a null pointer dereference bug in the function getRow (CairoOutputDev.cc:3122). At the line 3130 the variable pix can get a NULL value returned by imgStr->getLine();
3122 void getRow(int row_num, uint32_t *row_data) override { 3123 int i; 3124 Guchar pix; 3125 3126 if (row_num <= current_row) 3127 return; 3128 3129 while (current_row < row_num) { 3130 pix = imgStr->getLine(); 3131 current_row++; 3132 } 3133 3134 if (unlikely(pix == NULL)) { 3135 memset(row_data, 0, width4); 3136 if (!imageError) { 3137 error(errInternal, -1, "Bad image stream"); 3138 imageError = gTrue; 3139 }
This scenario (pix == NULL) is checked later at the line 3134. But the execution isn't stopped so the lines 3160 are reached with pix holding a NULL pointer.
3156 if (maskColors) {
3157 for (int x = 0; x < width; x++) {
3158 bool is_opaque = false;
3159 for (int i = 0; i < colorMap->
getNumPixelComps(); ++i) {
3160 if (pix[i] < maskColors[2i] ||
3161 pix[i] > maskColors[2i+1]) {
3162 is_opaque = true;
3163 break;
3164 }
3165 }
A solution could be exiting the function after the error is detected at 3138.
PoC is attached.
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Attachment 131963, "Proof of concept":
PoC.pdf