null pointer dereference in XRef::getEntry (#692) · Issues · poppler / poppler

null pointer dereference in XRef::getEntry

pdfdetach crashes when it's feeded with a specific pdf file. The command I run with is pdfdetach -save 1 test.pdf. The backtrace is here:

Program received signal SIGSEGV, Segmentation fault.
0x082994de in XRefEntry::setFlag (this=0xe0, flag=XRefEntry::Parsing, value=false) at /work/poppler/poppler/XRef.h:85
85            flags &= ~mask;
(gdb) bt
#0  0x082994de in XRefEntry::setFlag (this=0xe0, flag=XRefEntry::Parsing, value=false) at /work/poppler/poppler/XRef.h:85
#1  0x08295fd1 in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (this=0x8651ff8,
    dict=<unknown type in /work/poppler/build/utils/pdfdetach, CU 0x225680, DIE 0x23466c>, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=3,
    strict=false) at /work/poppler/poppler/Parser.cc:303
#2  0x08296cd8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=2, strict=false)
    at /work/poppler/poppler/Parser.cc:134
#3  0x08296ab8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=1, strict=false)
    at /work/poppler/poppler/Parser.cc:93
#4  0x08296fa6 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=0, strict=false)
    at /work/poppler/poppler/Parser.cc:120
#5  0x083895fe in XRef::fetch (this=0x8652328, num=7, gen=0, recursion=0) at /work/poppler/poppler/XRef.cc:1132
#6  0x0838b199 in XRef::getCatalog (this=0x8652328) at /work/poppler/poppler/XRef.cc:1064
#7  0x08121c54 in Catalog::Catalog (this=0x8652820, docA=0x8652148) at /work/poppler/poppler/Catalog.cc:94
#8  0x082b6280 in PDFDoc::setup (this=0x8652148, ownerPassword=0x0, userPassword=0x0) at /work/poppler/poppler/PDFDoc.cc:292
#9  0x082b663a in PDFDoc::PDFDoc (this=0x8652148, fileNameA=0x8652038, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/PDFDoc.cc:170
#10 0x084f9eda in LocalPDFDocBuilder::buildPDFDoc (this=0x86520b0, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/LocalPDFDocBuilder.cc:31
#11 0x08113a6a in main (argc=4, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:150

I analyse the code and find in some situation, entry is null:

#0  XRef::getEntry (this=0x8652328, i=7, complainIfMissing=false) at /work/poppler/poppler/XRef.cc:1552
#1  0x08295f8b in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (this=0x8651ff8,
    dict=<unknown type in /work/poppler/build/utils/pdfdetach, CU 0x225680, DIE 0x23466c>, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=3,
    strict=false) at /work/poppler/poppler/Parser.cc:301
#2  0x08296cd8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=2, strict=false)
    at /work/poppler/poppler/Parser.cc:134
#3  0x08296ab8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=1, strict=false)
    at /work/poppler/poppler/Parser.cc:93
#4  0x08296fa6 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=0, strict=false)
    at /work/poppler/poppler/Parser.cc:120
#5  0x083895fe in XRef::fetch (this=0x8652328, num=7, gen=0, recursion=0) at /work/poppler/poppler/XRef.cc:1132
#6  0x0838b199 in XRef::getCatalog (this=0x8652328) at /work/poppler/poppler/XRef.cc:1064
#7  0x08121c54 in Catalog::Catalog (this=0x8652820, docA=0x8652148) at /work/poppler/poppler/Catalog.cc:94
#8  0x082b6280 in PDFDoc::setup (this=0x8652148, ownerPassword=0x0, userPassword=0x0) at /work/poppler/poppler/PDFDoc.cc:292
#9  0x082b663a in PDFDoc::PDFDoc (this=0x8652148, fileNameA=0x8652038, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/PDFDoc.cc:170
#10 0x084f9eda in LocalPDFDocBuilder::buildPDFDoc (this=0x86520b0, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/LocalPDFDocBuilder.cc:31
#11 0x08113a6a in main (argc=4, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:150
(gdb) p entries
$19 = (XRefEntry *) 0x0

The problem is in XRef::getEntry

XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
{
  if (i >= size || entries[i].type == xrefEntryNone) {

    if ((!xRefStream) && mainXRefEntriesOffset) {
      if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
        error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
      }

There is lack of check where size is 0 and entries is nullnullpointerdereference.pdf

pdfdetach crashes when it's feeded with a specific pdf file.
The command I run with is `pdfdetach -save 1 test.pdf`.
The backtrace is here:
```
Program received signal SIGSEGV, Segmentation fault.
0x082994de in XRefEntry::setFlag (this=0xe0, flag=XRefEntry::Parsing, value=false) at /work/poppler/poppler/XRef.h:85
85            flags &= ~mask;
(gdb) bt
#0  0x082994de in XRefEntry::setFlag (this=0xe0, flag=XRefEntry::Parsing, value=false) at /work/poppler/poppler/XRef.h:85
#1  0x08295fd1 in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (this=0x8651ff8,
    dict=<unknown type in /work/poppler/build/utils/pdfdetach, CU 0x225680, DIE 0x23466c>, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=3,
    strict=false) at /work/poppler/poppler/Parser.cc:303
#2  0x08296cd8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=2, strict=false)
    at /work/poppler/poppler/Parser.cc:134
#3  0x08296ab8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=1, strict=false)
    at /work/poppler/poppler/Parser.cc:93
#4  0x08296fa6 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=0, strict=false)
    at /work/poppler/poppler/Parser.cc:120
#5  0x083895fe in XRef::fetch (this=0x8652328, num=7, gen=0, recursion=0) at /work/poppler/poppler/XRef.cc:1132
#6  0x0838b199 in XRef::getCatalog (this=0x8652328) at /work/poppler/poppler/XRef.cc:1064
#7  0x08121c54 in Catalog::Catalog (this=0x8652820, docA=0x8652148) at /work/poppler/poppler/Catalog.cc:94
#8  0x082b6280 in PDFDoc::setup (this=0x8652148, ownerPassword=0x0, userPassword=0x0) at /work/poppler/poppler/PDFDoc.cc:292
#9  0x082b663a in PDFDoc::PDFDoc (this=0x8652148, fileNameA=0x8652038, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/PDFDoc.cc:170
#10 0x084f9eda in LocalPDFDocBuilder::buildPDFDoc (this=0x86520b0, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/LocalPDFDocBuilder.cc:31
#11 0x08113a6a in main (argc=4, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:150

```

I analyse the code and find in some situation, entry is null:
```(gdb) bt
#0  XRef::getEntry (this=0x8652328, i=7, complainIfMissing=false) at /work/poppler/poppler/XRef.cc:1552
#1  0x08295f8b in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (this=0x8651ff8,
    dict=<unknown type in /work/poppler/build/utils/pdfdetach, CU 0x225680, DIE 0x23466c>, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=3,
    strict=false) at /work/poppler/poppler/Parser.cc:301
#2  0x08296cd8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=2, strict=false)
    at /work/poppler/poppler/Parser.cc:134
#3  0x08296ab8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=1, strict=false)
    at /work/poppler/poppler/Parser.cc:93
#4  0x08296fa6 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=0, strict=false)
    at /work/poppler/poppler/Parser.cc:120
#5  0x083895fe in XRef::fetch (this=0x8652328, num=7, gen=0, recursion=0) at /work/poppler/poppler/XRef.cc:1132
#6  0x0838b199 in XRef::getCatalog (this=0x8652328) at /work/poppler/poppler/XRef.cc:1064
#7  0x08121c54 in Catalog::Catalog (this=0x8652820, docA=0x8652148) at /work/poppler/poppler/Catalog.cc:94
#8  0x082b6280 in PDFDoc::setup (this=0x8652148, ownerPassword=0x0, userPassword=0x0) at /work/poppler/poppler/PDFDoc.cc:292
#9  0x082b663a in PDFDoc::PDFDoc (this=0x8652148, fileNameA=0x8652038, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/PDFDoc.cc:170
#10 0x084f9eda in LocalPDFDocBuilder::buildPDFDoc (this=0x86520b0, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/LocalPDFDocBuilder.cc:31
#11 0x08113a6a in main (argc=4, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:150
(gdb) p entries
$19 = (XRefEntry *) 0x0
```

The problem is in XRef::getEntry
```
XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
{
  if (i >= size || entries[i].type == xrefEntryNone) {

if ((!xRefStream) && mainXRefEntriesOffset) {
      if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
        error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
      }

```
There is lack of check where size is 0 and entries is null[nullpointerdereference.pdf](/uploads/b208588c92e16539930e2cc630775033/nullpointerdereference.pdf)

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.