Created attachment 134155 [details]
a corpus of crash

a NULL pointer dereference vulnerability is triggered in FoFiType1C::convertToType0 when I use pdftops to convert pdf to ps file.

We can trace it with gdb:

#gdb -q ./utils/pdftops
Reading symbols from ./utils/pdftops...done.
      
(gdb) run crash.pdf a
Starting program: /work/poppler-0.59.0/utils/pdftops "../output_ps/crashes/id:000000,sig:11,src:000001,op:flip1,pos:10912" a
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000544f85 in FoFiType1C::convertToType0 (this=<optimized out>, psName=<optimized out>, codeMap=<optimized out>, nCodes=<optimized out>, outputFunc=<optimized out>, outputStream=0xb48ab0)
    at FoFiType1C.cc:907
907	    if (privateDicts[fd].hasFontMatrix) {
(gdb) bt
#0  0x0000000000544f85 in FoFiType1C::convertToType0 (this=<optimized out>, psName=<optimized out>, codeMap=<optimized out>, nCodes=<optimized out>, outputFunc=<optimized out>, 
    outputStream=0xb48ab0) at FoFiType1C.cc:907
#1  0x000000000048eab9 in PSOutputDev::setupEmbeddedCIDType0Font (this=0xb48e70, font=<optimized out>, id=0xb4c288, psName=0xb3e310) at PSOutputDev.cc:2655
#2  0x00000000004854e8 in PSOutputDev::setupFont (this=0xb48e70, font=<optimized out>, parentResDict=<optimized out>) at PSOutputDev.cc:1953
#3  0x000000000048339b in PSOutputDev::setupFonts (this=0xb48e70, resDict=0xb49910) at PSOutputDev.cc:1885
#4  0x00000000004804f1 in PSOutputDev::setupResources (this=0xb48e70, resDict=0xb49910) at PSOutputDev.cc:1798
#5  0x000000000047c2bf in PSOutputDev::writeDocSetup (this=0xb48e70, doc=<optimized out>, catalog=<optimized out>, pages=..., duplexA=<optimized out>) at PSOutputDev.cc:1696
#6  0x0000000000478f93 in PSOutputDev::postInit (this=<optimized out>) at PSOutputDev.cc:1455
#7  0x0000000000495a44 in PSOutputDev::checkPageSlice (this=0xb48e70, page=0xb49e20, rotateA=0, 
    useMediaBox=<error reading variable: access outside bounds of object referenced via synthetic pointer>, crop=true, sliceX=-1, sliceY=-1, sliceW=0, sliceH=11836960, printing=<optimized out>, 
    abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>) at PSOutputDev.cc:3246
#8  0x0000000000701dd4 in Page::displaySlice (this=0xb49e20, out=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, 
    crop=<optimized out>, sliceX=-1, sliceY=1, sliceW=12023799, sliceH=-1, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, 
    annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at Page.cc:539
#9  0x0000000000701d03 in Page::display (this=0xb4b4b2, out=0x85d300, hDPI=1.3980432860952889e-76, vDPI=2.3715151000379834e-322, rotate=11832208, useMediaBox=<optimized out>, 
    crop=<optimized out>, printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>) at Page.cc:481
#10 0x00000000004218f2 in PDFDoc::displayPage (this=0xb3df80, out=0xb48e70, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=0, 
    useMediaBox=<error reading variable: access outside bounds of object referenced via synthetic pointer>, 
    crop=<error reading variable: access outside bounds of object referenced via synthetic pointer>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, 
    annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at PDFDoc.cc:485
#11 0x0000000000408184 in main (argc=<optimized out>, argv=<optimized out>) at pdftops.cc:422

We can see the code in PsOutputDev.cc:2655

 // convert it to a Type 0 font
  if ((fontBuf = font->readEmbFontFile(xref, &fontLen))) {
    if ((ffT1C = FoFiType1C::make(fontBuf, fontLen))) {
      if (globalParams->getPSLevel() >= psLevel3) {
	// Level 3: use a CID font
	ffT1C->convertToCIDType0(psName->getCString(), NULL, 0,
				 outputFunc, outputStream);
      } else {
	// otherwise: use a non-CID composite font
	ffT1C->convertToType0(psName->getCString(), NULL, 0,
			      outputFunc, outputStream);
      }
      delete ffT1C;
    }
    gfree(fontBuf);
  }

it creates a new FoFiType1C Object with null privateDicts and call convertToType0, and in line 907, it access privateDicts directly without checking if it's initialized.

FoFiType1C *FoFiType1C::make(char *fileA, int lenA) {
  FoFiType1C *ff;

  ff = new FoFiType1C(fileA, lenA, gFalse);
  if (!ff->parse()) {
    delete ff;
    return NULL;
  }
  return ff;
}

FoFiType1C::FoFiType1C(char *fileA, int lenA, GBool freeFileDataA):
  FoFiBase(fileA, lenA, freeFileDataA)
{
  name = NULL;
  encoding = NULL;
  privateDicts = NULL;
  fdSelect = NULL;
  charset = NULL;
  charsetLength = 0;
}

void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes,
				FoFiOutputFunc outputFunc,
				void *outputStream) {
...
if (privateDicts[fd].hasFontMatrix) {
...