Bug 698540

Summary: mupdf 1.11 windows allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d".
Product: MuPDF Reporter: WangLin <31060703>
Component: appsAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: robin.watts, tor.andersson
Priority: P4    
Version: 1.11   
Hardware: PC   
OS: Windows 8   
Customer: Word Size: ---

Description WangLin 2017-09-15 00:14:06 UTC
Created attachment 14262 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x0
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
MAJOR_HASH:0x53460d50
MINOR_HASH:0x6a790a01
STACK_DEPTH:11
STACK_FRAME:wow64!Wow64NotifyDebugger+0x1d
STACK_FRAME:wow64!HandleRaiseException+0xd7
STACK_FRAME:wow64!Wow64NtRaiseException+0x126
STACK_FRAME:wow64!whNtRaiseException+0x14
STACK_FRAME:wow64!Wow64SystemServiceEx+0xd7
STACK_FRAME:wow64cpu!ServiceNoTurbo+0xb
STACK_FRAME:wow64!RunCpuSimulation+0xa
STACK_FRAME:wow64!Wow64LdrpInitialize+0x435
STACK_FRAME:ntdll!LdrGetKnownDllSectionHandle+0x1b5
STACK_FRAME:ntdll!WinSqmCheckEscalationSetDWORD+0x12180
STACK_FRAME:ntdll!LdrInitializeThunk+0xe
INSTRUCTION_ADDRESS:0x00000000775dbda1
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV near NULL
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:PROBABLY_EXPLOITABLE
BUG_TITLE:Probably Exploitable - User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d (Hash=0x53460d50.0x6a790a01)
EXPLANATION:User mode write access violations that are near NULL are probably exploitable.
Comment 1 Tor Andersson 2017-09-19 08:05:11 UTC
*** Bug 698557 has been marked as a duplicate of this bug. ***
Comment 2 Tor Andersson 2017-09-19 09:10:00 UTC
commit 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Sep 19 16:33:38 2017 +0200

    Fix 698540: Check name, comment and meta size field signs.