Bug#879066: poppler: CVE-2017-15565: NULL pointer dereference vulnerability in GfxState.cc
Salvatore Bonaccorso
carnil at debian.org
Wed Oct 18 20:27:53 UTC 2017
Source: poppler
Version: 0.57.0-2
Severity: important
Tags: security upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=103016
Hi,
the following vulnerability was published for poppler.
CVE-2017-15565[0]:
| In Poppler 0.59.0, a NULL Pointer Dereference exists in the
| GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted
| PDF document.
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a20501 in GfxImageColorMap::getGrayLine (this=0x5555557edea0, in=0x0,
out=0x5555557ee360 "", length=331) at GfxState.cc:6136
6136 *inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0 0x00007ffff7a20501 in GfxImageColorMap::getGrayLine (this=0x5555557edea0, in=0x0,
out=0x5555557ee360 "", length=331) at GfxState.cc:6136
#1 0x000055555556d758 in CairoOutputDev::drawSoftMaskedImage (this=0x5555557c71e0,
state=0x5555557d6220, ref=0x7fffffffe360, str=0x5555557fed40, width=331, height=58,
colorMap=0x7fffffffde10, interpolate=false, maskStr=0x5555558072d0, maskWidth=331,
maskHeight=58, maskColorMap=0x5555557edea0, maskInterpolate=false) at CairoOutputDev.cc:2711
#2 0x00007ffff79f5524 in Gfx::doImage (this=0x5555557c4bc0, ref=0x7fffffffe360,
str=0x5555557fed40, inlineImg=false) at Gfx.cc:4704
#3 0x00007ffff79f3319 in Gfx::opXObject (this=0x5555557c4bc0, args=0x7fffffffe480, numArgs=1)
at Gfx.cc:4213
#4 0x00007ffff79e01b6 in Gfx::execOp (this=0x5555557c4bc0, cmd=0x7fffffffe470,
args=0x7fffffffe480, numArgs=1) at Gfx.cc:909
#5 0x00007ffff79dfa44 in Gfx::go (this=0x5555557c4bc0, topLevel=true) at Gfx.cc:767
#6 0x00007ffff79df7ef in Gfx::display (this=0x5555557c4bc0, obj=0x7fffffffe7c0, topLevel=true)
at Gfx.cc:729
#7 0x00007ffff7a4ac9e in Page::displaySlice (this=0x5555557ca9b0, out=0x5555557c71e0, hDPI=72,
vDPI=72, rotate=0, useMediaBox=false, crop=false, sliceX=-1, sliceY=-1, sliceW=-1,
sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:601
#8 0x00007ffff7a4e973 in PDFDoc::displayPageSlice (this=0x5555557cb090, out=0x5555557c71e0,
page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=false, printing=true, sliceX=-1,
sliceY=-1, sliceW=-1, sliceH=-1, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:523
#9 0x000055555556107e in renderPage (doc=0x5555557cb090, cairoOut=0x5555557c71e0, pg=1,
page_w=384, page_h=764, output_w=384, output_h=764) at pdftocairo.cc:666
#10 0x0000555555562c7c in main (argc=2, argv=0x7fffffffeb48) at pdftocairo.cc:1197
(gdb) list
6131
6132 default:
6133 inp = in;
6134 for (j = 0; j < length; j++)
6135 for (i = 0; i < nComps; i++) {
6136 *inp = byte_lookup[*inp * nComps + i];
6137 inp++;
6138 }
6139 colorSpace->getGrayLine(in, out, length);
6140 break;
(gdb)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15565
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15565
[1] https://bugs.freedesktop.org/show_bug.cgi?id=103016
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-freedesktop-maintainers
mailing list