697018 – mutool/mupdf: stack-based buffer overflow after an infinite loop in fz_flush_warnings (error.c)

Bug 697018 - mutool/mupdf: stack-based buffer overflow after an infinite loop in fz_flush_warnings (error.c)

Summary: mutool/mupdf: stack-based buffer overflow after an infinite loop in fz_flush_...

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	fuzzing (show other bugs)
Version:	1.9
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Duplicates (2):	697016 697017 (view as bug list)
Depends on:
Blocks:

Reported:	2016-08-05 07:40 UTC by Agostino Sarubbo
Modified:	2016-09-22 08:57 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
reproducer (7.11 KB, application/pdf) 2016-08-05 07:40 UTC, Agostino Sarubbo	Details
stacktrace bzipped (4.30 KB, application/x-bzip) 2016-08-05 07:42 UTC, Agostino Sarubbo	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo 2016-08-05 07:40:50 UTC

Created attachment 12815 [details]
reproducer

Hello,

there is a stack overflow after an infinite loop triggered from a crafted file.

I'm attaching:
1) The reproducer;
2) The stacktrace provided by Address Sanitizer;

Feel free to edit the summary if gives a better description of the issue.

Comment 1 Agostino Sarubbo 2016-08-05 07:42:44 UTC

Created attachment 12816 [details]
stacktrace bzipped

Comment 2 Sebastian Rasmussen 2016-09-21 06:53:25 UTC

I can confirm that address sanitizer is complaining when I'm using the following command (please note that mutool draw -s t ./reproducer.pdf works fine!):

git checkout 1.9a && git submodule update --init && make -j10 nuke && LDFLAGS=-fsanitize=address make -j10 CC=clang-3.8 XCFLAGS=-fsanitize=address && ./build/debug/mutool info ./reproducer.pdf

The same issue manifests itself on master (currently 80ba0e2).

Comment 3 Agostino Sarubbo 2016-09-21 07:01:16 UTC

The command to reproduce the issue is:
# mutool info $REPRODUCER

Comment 4 Sebastian Rasmussen 2016-09-22 05:18:12 UTC

Fixed in comment fdf71862fe929b4560e9f632d775c50313d6ef02

Comment 5 Sebastian Rasmussen 2016-09-22 08:22:16 UTC

*** Bug 697017 has been marked as a duplicate of this bug. ***

Comment 6 Sebastian Rasmussen 2016-09-22 08:57:03 UTC

*** Bug 697016 has been marked as a duplicate of this bug. ***