Bug 699225 - An invalid write in ensure_solid_xref in pdf/pdf_xref.c
Summary: An invalid write in ensure_solid_xref in pdf/pdf_xref.c
Status: RESOLVED WORKSFORME
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: 1.12.0
Hardware: PC Linux
: P4 critical
Assignee: MuPDF bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-16 05:04 UTC by fuyu
Modified: 2018-04-16 10:59 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---

Attachments
poc pdf (519 bytes, application/pdf)
2018-04-16 05:04 UTC, fuyu 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description fuyu 2018-04-16 05:04:36 UTC 
Created attachment 15024 [details]
poc pdf

There is an  invalid write in ensure_solid_xref in pdf/pdf_xref.c 

command: ./mutool draw poc.pdf 
warning: unknown PDF version: 0.0
warning: broken xref section. proceeding anyway.
warning: broken xref section, proceeding anyway.
warning: ... repeated 2 times ...
warning: broken xref section. proceeding anyway.
warning: broken xref section, proceeding anyway.
Segmentation fault

analysis with: valgrind --tools=memcheck --leak-check=full
==25052== Memcheck, a memory error detector
==25052== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==25052== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==25052== Command: ./mutool draw poc.pdf
==25052== 
warning: unknown PDF version: 0.0
warning: broken xref section. proceeding anyway.
warning: broken xref section, proceeding anyway.
warning: ... repeated 2 times ...
warning: broken xref section. proceeding anyway.
warning: broken xref section, proceeding anyway.
==25052== Invalid write of size 8
==25052==    at 0x5096E1: ensure_solid_xref (pdf-xref.c:211)
==25052==    by 0x50B56B: pdf_xref_find_subsection (pdf-xref.c:825)
==25052==    by 0x50B818: pdf_read_old_xref (pdf-xref.c:882)
==25052==    by 0x50C31E: pdf_read_xref (pdf-xref.c:1080)
==25052==    by 0x50C4ED: read_xref_section (pdf-xref.c:1128)
==25052==    by 0x50C709: pdf_read_xref_sections (pdf-xref.c:1177)
==25052==    by 0x50C8F2: pdf_load_xref (pdf-xref.c:1233)
==25052==    by 0x50D092: pdf_init_document (pdf-xref.c:1371)
==25052==    by 0x50F94B: pdf_open_document (pdf-xref.c:2285)
==25052==    by 0x438E8B: fz_open_document (document.c:158)
==25052==    by 0x4084FA: mudraw_main (mudraw.c:1882)
==25052==    by 0x402C2D: main (mutool.c:127)
==25052==  Address 0x14bc8f625e78 is not stack'd, malloc'd or (recently) free'd
==25052== 
==25052== 
==25052== Process terminating with default action of signal 11 (SIGSEGV)
==25052==  Access not within mapped region at address 0x14BC8F625E78
==25052==    at 0x5096E1: ensure_solid_xref (pdf-xref.c:211)
==25052==    by 0x50B56B: pdf_xref_find_subsection (pdf-xref.c:825)
==25052==    by 0x50B818: pdf_read_old_xref (pdf-xref.c:882)
==25052==    by 0x50C31E: pdf_read_xref (pdf-xref.c:1080)
==25052==    by 0x50C4ED: read_xref_section (pdf-xref.c:1128)
==25052==    by 0x50C709: pdf_read_xref_sections (pdf-xref.c:1177)
==25052==    by 0x50C8F2: pdf_load_xref (pdf-xref.c:1233)
==25052==    by 0x50D092: pdf_init_document (pdf-xref.c:1371)
==25052==    by 0x50F94B: pdf_open_document (pdf-xref.c:2285)
==25052==    by 0x438E8B: fz_open_document (document.c:158)
==25052==    by 0x4084FA: mudraw_main (mudraw.c:1882)
==25052==    by 0x402C2D: main (mutool.c:127)
==25052==  If you believe this happened as a result of a stack
==25052==  overflow in your program's main thread (unlikely but
==25052==  possible), you can try to increase the size of the
==25052==  main thread stack using the --main-stacksize= flag.
==25052==  The main thread stack size used in this run was 8388608.
==25052== 
==25052== HEAP SUMMARY:
==25052==     in use at exit: 581,686 bytes in 84 blocks
==25052==   total heap usage: 99 allocs, 15 frees, 591,023 bytes allocated
==25052== 
==25052== LEAK SUMMARY:
==25052==    definitely lost: 0 bytes in 0 blocks
==25052==    indirectly lost: 0 bytes in 0 blocks
==25052==      possibly lost: 0 bytes in 0 blocks
==25052==    still reachable: 581,686 bytes in 84 blocks
==25052==         suppressed: 0 bytes in 0 blocks
==25052== Reachable blocks (those to which a pointer was found) are not shown.
==25052== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==25052== 
==25052== For counts of detected and suppressed errors, rerun with: -v
==25052== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault


Crash happennd at ensure_solid_xref (pdf-xref.c:211):
  209  for (i =0; i < sub->len; i++)
  210  {
  211    new_sub->table[i+sub->start] = sub->table[i]
  212  }
the variable "sub->start" is a big number in run time, which cause this crash.

You can reproduce this crash with the attachment file.


Credits:   "Trusted Operating System and System Assurance Working Group, TCA, Institute of Software, Chinese Academy of Sciences"
Comment 1 fuyu 2018-04-16 05:29:35 UTC 
Patch for CVE-2018-6192(Bug 698916) does not solve this issue, it still crashes.
Comment 2 Sebastian Rasmussen 2018-04-16 10:59:10 UTC 
This appears to have been fixed just after 1.12.0 in:
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731