Created attachment 15024 [details] poc pdf There is an invalid write in ensure_solid_xref in pdf/pdf_xref.c command: ./mutool draw poc.pdf warning: unknown PDF version: 0.0 warning: broken xref section. proceeding anyway. warning: broken xref section, proceeding anyway. warning: ... repeated 2 times ... warning: broken xref section. proceeding anyway. warning: broken xref section, proceeding anyway. Segmentation fault analysis with: valgrind --tools=memcheck --leak-check=full ==25052== Memcheck, a memory error detector ==25052== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==25052== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==25052== Command: ./mutool draw poc.pdf ==25052== warning: unknown PDF version: 0.0 warning: broken xref section. proceeding anyway. warning: broken xref section, proceeding anyway. warning: ... repeated 2 times ... warning: broken xref section. proceeding anyway. warning: broken xref section, proceeding anyway. ==25052== Invalid write of size 8 ==25052== at 0x5096E1: ensure_solid_xref (pdf-xref.c:211) ==25052== by 0x50B56B: pdf_xref_find_subsection (pdf-xref.c:825) ==25052== by 0x50B818: pdf_read_old_xref (pdf-xref.c:882) ==25052== by 0x50C31E: pdf_read_xref (pdf-xref.c:1080) ==25052== by 0x50C4ED: read_xref_section (pdf-xref.c:1128) ==25052== by 0x50C709: pdf_read_xref_sections (pdf-xref.c:1177) ==25052== by 0x50C8F2: pdf_load_xref (pdf-xref.c:1233) ==25052== by 0x50D092: pdf_init_document (pdf-xref.c:1371) ==25052== by 0x50F94B: pdf_open_document (pdf-xref.c:2285) ==25052== by 0x438E8B: fz_open_document (document.c:158) ==25052== by 0x4084FA: mudraw_main (mudraw.c:1882) ==25052== by 0x402C2D: main (mutool.c:127) ==25052== Address 0x14bc8f625e78 is not stack'd, malloc'd or (recently) free'd ==25052== ==25052== ==25052== Process terminating with default action of signal 11 (SIGSEGV) ==25052== Access not within mapped region at address 0x14BC8F625E78 ==25052== at 0x5096E1: ensure_solid_xref (pdf-xref.c:211) ==25052== by 0x50B56B: pdf_xref_find_subsection (pdf-xref.c:825) ==25052== by 0x50B818: pdf_read_old_xref (pdf-xref.c:882) ==25052== by 0x50C31E: pdf_read_xref (pdf-xref.c:1080) ==25052== by 0x50C4ED: read_xref_section (pdf-xref.c:1128) ==25052== by 0x50C709: pdf_read_xref_sections (pdf-xref.c:1177) ==25052== by 0x50C8F2: pdf_load_xref (pdf-xref.c:1233) ==25052== by 0x50D092: pdf_init_document (pdf-xref.c:1371) ==25052== by 0x50F94B: pdf_open_document (pdf-xref.c:2285) ==25052== by 0x438E8B: fz_open_document (document.c:158) ==25052== by 0x4084FA: mudraw_main (mudraw.c:1882) ==25052== by 0x402C2D: main (mutool.c:127) ==25052== If you believe this happened as a result of a stack ==25052== overflow in your program's main thread (unlikely but ==25052== possible), you can try to increase the size of the ==25052== main thread stack using the --main-stacksize= flag. ==25052== The main thread stack size used in this run was 8388608. ==25052== ==25052== HEAP SUMMARY: ==25052== in use at exit: 581,686 bytes in 84 blocks ==25052== total heap usage: 99 allocs, 15 frees, 591,023 bytes allocated ==25052== ==25052== LEAK SUMMARY: ==25052== definitely lost: 0 bytes in 0 blocks ==25052== indirectly lost: 0 bytes in 0 blocks ==25052== possibly lost: 0 bytes in 0 blocks ==25052== still reachable: 581,686 bytes in 84 blocks ==25052== suppressed: 0 bytes in 0 blocks ==25052== Reachable blocks (those to which a pointer was found) are not shown. ==25052== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==25052== ==25052== For counts of detected and suppressed errors, rerun with: -v ==25052== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault Crash happennd at ensure_solid_xref (pdf-xref.c:211): 209 for (i =0; i < sub->len; i++) 210 { 211 new_sub->table[i+sub->start] = sub->table[i] 212 } the variable "sub->start" is a big number in run time, which cause this crash. You can reproduce this crash with the attachment file. Credits: "Trusted Operating System and System Assurance Working Group, TCA, Institute of Software, Chinese Academy of Sciences"
Patch for CVE-2018-6192(Bug 698916) does not solve this issue, it still crashes.
This appears to have been fixed just after 1.12.0 in: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731