Ubuntu
poppler package

Bug #537331
Comment #8

Comment 8 for bug 537331

Revision history for this message

In freedesktop.org Bugzilla #28170, Thoger-redhat (thoger-redhat) wrote on 2010-05-19:

Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to crash. It triggers a NULL pointer dereference in JBIG2Bitmap::getSlice / JBIG2Bitmap::clearToZero.

More details copy-n-pasted from:
https://bugzilla.redhat.com/show_bug.cgi?id=580105#c16

JBIG2Bitmap::getSlice() gets called with large values in wA/hA arguments:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n740

It calls JBIG2Bitmap::JBIG2Bitmap():

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n700

which contains protection against integer overflow / under-allocation of the
data[] buffer, and leaves data set to NULL if integer overflow is detected.

JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which
does memset(data, ...), resulting in NULL pointer dereference crash.

Ubuntupoppler package

Comment 8 for bug 537331

Ubuntu
poppler package