Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to crash. It triggers a NULL pointer dereference in JBIG2Bitmap::getSlice / JBIG2Bitmap::clearToZero.
which contains protection against integer overflow / under-allocation of the
data[] buffer, and leaves data set to NULL if integer overflow is detected.
JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which
does memset(data, ...), resulting in NULL pointer dereference crash.
Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to crash. It triggers a NULL pointer dereference in JBIG2Bitmap: :getSlice / JBIG2Bitmap: :clearToZero.
More details copy-n-pasted from: /bugzilla. redhat. com/show_ bug.cgi? id=580105# c16
https:/
JBIG2Bitmap: :getSlice( ) gets called with large values in wA/hA arguments:
http:// cgit.freedeskto p.org/poppler/ poppler/ tree/poppler/ JBIG2Stream. cc?id=e9501070# n740
It calls JBIG2Bitmap: :JBIG2Bitmap( ):
http:// cgit.freedeskto p.org/poppler/ poppler/ tree/poppler/ JBIG2Stream. cc?id=e9501070# n700
which contains protection against integer overflow / under-allocation of the
data[] buffer, and leaves data set to NULL if integer overflow is detected.
JBIG2Bitmap: :getSlice( ) subsequently calls JBIG2Bitmap: :clearToZero( ), which
does memset(data, ...), resulting in NULL pointer dereference crash.