[Secure-testing-team] Bug#879066: poppler: CVE-2017-15565: NULL pointer dereference vulnerability in GfxState.cc

Salvatore Bonaccorso carnil at debian.org
Wed Oct 18 20:27:53 UTC 2017 

Source: poppler
Version: 0.57.0-2
Severity: important
Tags: security upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=103016

Hi,

the following vulnerability was published for poppler.

CVE-2017-15565[0]:
| In Poppler 0.59.0, a NULL Pointer Dereference exists in the
| GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted
| PDF document.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a20501 in GfxImageColorMap::getGrayLine (this=0x5555557edea0, in=0x0, 
    out=0x5555557ee360 "", length=331) at GfxState.cc:6136
6136            *inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0  0x00007ffff7a20501 in GfxImageColorMap::getGrayLine (this=0x5555557edea0, in=0x0, 
    out=0x5555557ee360 "", length=331) at GfxState.cc:6136
#1  0x000055555556d758 in CairoOutputDev::drawSoftMaskedImage (this=0x5555557c71e0, 
    state=0x5555557d6220, ref=0x7fffffffe360, str=0x5555557fed40, width=331, height=58, 
    colorMap=0x7fffffffde10, interpolate=false, maskStr=0x5555558072d0, maskWidth=331, 
    maskHeight=58, maskColorMap=0x5555557edea0, maskInterpolate=false) at CairoOutputDev.cc:2711
#2  0x00007ffff79f5524 in Gfx::doImage (this=0x5555557c4bc0, ref=0x7fffffffe360, 
    str=0x5555557fed40, inlineImg=false) at Gfx.cc:4704
#3  0x00007ffff79f3319 in Gfx::opXObject (this=0x5555557c4bc0, args=0x7fffffffe480, numArgs=1)
    at Gfx.cc:4213
#4  0x00007ffff79e01b6 in Gfx::execOp (this=0x5555557c4bc0, cmd=0x7fffffffe470, 
    args=0x7fffffffe480, numArgs=1) at Gfx.cc:909
#5  0x00007ffff79dfa44 in Gfx::go (this=0x5555557c4bc0, topLevel=true) at Gfx.cc:767
#6  0x00007ffff79df7ef in Gfx::display (this=0x5555557c4bc0, obj=0x7fffffffe7c0, topLevel=true)
    at Gfx.cc:729
#7  0x00007ffff7a4ac9e in Page::displaySlice (this=0x5555557ca9b0, out=0x5555557c71e0, hDPI=72, 
    vDPI=72, rotate=0, useMediaBox=false, crop=false, sliceX=-1, sliceY=-1, sliceW=-1, 
    sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:601
#8  0x00007ffff7a4e973 in PDFDoc::displayPageSlice (this=0x5555557cb090, out=0x5555557c71e0, 
    page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=false, printing=true, sliceX=-1, 
    sliceY=-1, sliceW=-1, sliceH=-1, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:523
#9  0x000055555556107e in renderPage (doc=0x5555557cb090, cairoOut=0x5555557c71e0, pg=1, 
    page_w=384, page_h=764, output_w=384, output_h=764) at pdftocairo.cc:666
#10 0x0000555555562c7c in main (argc=2, argv=0x7fffffffeb48) at pdftocairo.cc:1197
(gdb) list
6131
6132      default:
6133        inp = in;
6134        for (j = 0; j < length; j++)
6135          for (i = 0; i < nComps; i++) {
6136            *inp = byte_lookup[*inp * nComps + i];
6137            inp++;
6138          }
6139        colorSpace->getGrayLine(in, out, length);
6140        break;
(gdb)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15565
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15565
[1] https://bugs.freedesktop.org/show_bug.cgi?id=103016

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Secure-testing-team mailing list