Headline
CVE-2020-36024: NULL-Pointer Deference in `FoFiType1C::convertToType1` (#1016) · Issues · poppler / poppler · GitLab
An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.
299 } else {
300 (*outputFunc)(outputStream, "256 array\n", 10);
301 (*outputFunc)(outputStream, "0 1 255 {1 index exch /.notdef put} for\n", 40);
302 enc = newEncoding ? newEncoding : (const char **)encoding;
303 for (i = 0; i < 256; ++i) {
→ 304 if (enc[i]) { // enc == 0
305 buf = GooString::format("dup {0:d} /{1:s} put\n", i, enc[i]);
306 (*outputFunc)(outputStream, buf->c_str(), buf->getLength());
307 delete buf;
308 }
309 }
enc == 0 in line 304.
0x7c6e5d <FoFiType1C::convertToType1(char+0> shr rax, 0x3
0x7c6e61 <FoFiType1C::convertToType1(char+0> cmp BYTE PTR [rax+0x7fff8000], 0x0
0x7c6e68 <FoFiType1C::convertToType1(char+0> jne 0x7c9bfe <FoFiType1C::convertToType1(char const*, char const**, bool, void (*)(void*, char const*, int), void*)+17710>
→ 0x7c6e6e <FoFiType1C::convertToType1(char+0> mov rdx, QWORD PTR [r15]
0x7c6e71 <FoFiType1C::convertToType1(char+0> test rdx, rdx
0x7c6e74 <FoFiType1C::convertToType1(char+0> je 0x7c6df8 <FoFiType1C::convertToType1(char const*, char const**, bool, void (*)(void*, char const*, int), void*)+5928>
0x7c6e76 <FoFiType1C::convertToType1(char+0> mov rax, QWORD PTR [rip+0x926943] # 0x10ed7c0 <__afl_area_ptr>
0x7c6e7d <FoFiType1C::convertToType1(char+0> add BYTE PTR [rax+0x4f23], 0x1
0x7c6e84 <FoFiType1C::convertToType1(char+0> mov DWORD PTR fs:[r13+0x0], 0x245f
gef➤ print $r15
$7 = 0x0
[#0] 0x7c6e6e → FoFiType1C::convertToType1(this=<optimized out>, psName=0x603000019360 "ERGTBC+#3ceoSansIntel", newEncoding=<optimized out>, ascii=<optimized out>, outputFunc=<optimized out>, outputStream=<optimized out>)
[#1] 0x6346ca → PSOutputDev::setupEmbeddedType1CFont(this=0x619000000f80, font=<optimized out>, id=<optimized out>, psName=<optimized out>)
[#2] 0x629553 → PSOutputDev::setupFont(this=0x619000000f80, font=<optimized out>, parentResDict=<optimized out>)
[#3] 0x62630c → PSOutputDev::setupFonts(this=<optimized out>, resDict=0x6070000020f0)
[#4] 0x622f01 → PSOutputDev::setupResources(this=0x619000000f80, resDict=0x6070000020f0)
[#5] 0x61da18 → PSOutputDev::writeDocSetup(this=0x619000000f80, catalog=<optimized out>, pageList=<optimized out>, duplexA=<optimized out>)
[#6] 0x6195db → PSOutputDev::postInit(this=0x619000000f80)
[#7] 0x6406e9 → PSOutputDev::checkPageSlice(this=<optimized out>, page=<optimized out>, rotateA=<optimized out>, useMediaBox=<optimized out>, crop=0x1, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>)
[#8] 0xa31aad → Page::displaySlice(this=<optimized out>, out=0x619000000f80, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
[#9] 0xa31944 → Page::display(this=0x61a0000006a0, out=0x14, hDPI=1.5817496953307363e-153, vDPI=9.041152192150418e+271, rotate=0x0, useMediaBox=0x0, crop=0x0, printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>)Related news
Ubuntu Security Notice USN-6299-1
Ubuntu Security Notice 6299-1 - It was discovered that poppler incorrectly handled certain malformed PDF files. If a user or an automated system were tricked into opening a specially crafted PDF file, a remote attacker could possibly use this issue to cause a denial of service.