Bug 695040

Summary: Crashes and hangs with fuzzed PDF Files.
Product: MuPDF Reporter: sergey.gorbaty
Component: mupdfAssignee: muPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED QA Contact: Bug traffic <tech>
Severity: normal    
Priority: P4 CC: jitesh.h.lalwani, matt, sebastian.rasmussen, zeniko
Version: 1.2   
Hardware: All   
OS: All   
Customer: Word Size: ---
Attachments: Crashes and hangs.

Description sergey.gorbaty 2014-02-13 11:36:03 UTC
Created attachment 10693 [details]
Crashes and hangs.

We had a fuzzer tool generate many PDFs that crash and hang muPDF on Android.
Please find the archive attached. It contains the file that created a crash and a stack trace in the txt.
Comment 1 zeniko 2014-02-13 14:06:09 UTC
Thanks for the report and the attached files.

Proposed fixes for some of these issues:
* for the integer overflow in pdf_xref_size_from_old_trailer: http://git.ghostscript.com/?p=user/zeniko/mupdf.git;a=commitdiff;h=7223acff42988ca66dd8e75dcb06c4f67b9d0e1a
* for the hangs in path flattening: http://git.ghostscript.com/?p=user/zeniko/mupdf.git;a=commitdiff;h=64c222a3886db70923b9a4d1c886e17d34281e55
* for the infinite loop in Freetype: https://code.google.com/p/sumatrapdf/source/browse/trunk/ext/_patches/freetype2.patch?spec=svn8620&r=8620#74
Comment 2 zeniko 2014-02-14 09:40:04 UTC
I've reported the Freetype issue upstream as https://savannah.nongnu.org/bugs/index.php?41590

BTW: The crashers seem to have been fixed already as far as I can tell. Do the files requiring a password crash when opened with the password or do they crash without a password prompt?
Comment 3 sergey.gorbaty 2014-03-05 13:41:36 UTC
I am honestly not sure what the behavior of those is. 
These samples have been provided by a 3rd party.
Comment 4 sergey.gorbaty 2014-03-05 13:42:49 UTC
When can we expect to see the fixes in a released package?
Comment 5 zeniko 2014-03-05 13:57:05 UTC
(In reply to comment #4)
> When can we expect to see the fixes in a released package?

Releases for MuPDF are currently scheduled for March and September of each year. You should thus get these fixes in a release build within the next month.
Comment 6 Matt Holgate 2014-06-23 04:31:14 UTC
Removing the Android tag here, as these problems look to be in the core of MuPDF rather than being Android specific.
Comment 7 Jitesh Lalwani 2014-07-30 06:02:18 UTC
What about following crash?

E/AndroidRuntime(18359): java.lang.UnsatisfiedLinkError: dlopen failed: cannot locate symbol "strtof" referenced by "libmupdf.so"...
Comment 8 Ken Sharp 2014-07-30 06:20:53 UTC
(In reply to Jitesh Lalwani from comment #7)
> What about following crash?
> 
> E/AndroidRuntime(18359): java.lang.UnsatisfiedLinkError: dlopen failed:
> cannot locate symbol "strtof" referenced by "libmupdf.so"...

In what way is that connected with this bug report ?
Comment 9 Sebastian Rasmussen 2015-07-26 03:38:19 UTC
I suggest that this bug be closed.

After a couple of hours of bisecting I have now determined that all the issues exhibited by the 55 attached PDFs have been resolved since 1.2. Most by zeniko, robin and fredrossperry. Details below.

SIGSEGV-070214-125025-294.pdf
SIGSEGV-070214-135117-7.pdf
SIGSEGV-070214-141527-132.pdf
SIGSEGV-070214-153520-31.pdf
SIGSEGV-070214-210731-226.pdf
SIGSEGV-080214-001832-158.pdf
SIGSEGV-080214-141736-64.pdf
SIGSEGV-080214-174551-209.pdf
SIGSEGV-080214-183817-180.pdf
SIGSEGV-080214-211214-275.pdf
SIGSEGV-080214-225022-278.pdf
SIGSEGV-090214-031457-187.pdf
SIGSEGV-090214-055227-289.pdf
SIGSEGV-090214-074703-165.pdf
SIGSEGV-090214-132516-287.pdf
SIGSEGV-090214-223606-3.pdf
SIGSEGV-100214-031331-276.pdf
SIGSEGV-100214-055356-134.pdf
SIGSEGV-100214-060842-124.pdf
        These worked out of the box in 1.2:
        http://git.ghostscript.com/?p=mupdf.git;a=commit;h=9d20a4f3a69fdea855f8678c1ad50b5db7472d81
SIGABRT-070214-173711-9.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=527afcaa0744472d7ad2ef84ce79ab34a036ad85
SIGABRT-070214-235544-6.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=835488aa0fb45f7c752f12f7184c76df26e8e5dc
SIGABRT-090214-045131-116.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=527afcaa0744472d7ad2ef84ce79ab34a036ad85
SIGABRT-090214-054007-189.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=835488aa0fb45f7c752f12f7184c76df26e8e5dc
SIGABRT-090214-073019-69.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=835488aa0fb45f7c752f12f7184c76df26e8e5dc
SIGABRT-090214-113325-239.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=835488aa0fb45f7c752f12f7184c76df26e8e5dc
SIGABRT-090214-235300-139.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=835488aa0fb45f7c752f12f7184c76df26e8e5dc
SIGSEGV-070214-174847-58.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=527afcaa0744472d7ad2ef84ce79ab34a036ad85
SIGSEGV-070214-193825-129.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=527afcaa0744472d7ad2ef84ce79ab34a036ad85
SIGSEGV-080214-203043-271.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=527afcaa0744472d7ad2ef84ce79ab34a036ad85
SIGSEGV-090214-002802-245.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=527afcaa0744472d7ad2ef84ce79ab34a036ad85
SIGSEGV-100214-011252-226.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=527afcaa0744472d7ad2ef84ce79ab34a036ad85
SIGSEGV-100214-015140-81.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=835488aa0fb45f7c752f12f7184c76df26e8e5dc
SIGSEGV-100214-025204-187.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=835488aa0fb45f7c752f12f7184c76df26e8e5dc
SIGSEGV-100214-032831-186.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=7e2fd58613a92dfd94550e35cfede9fa5b714e7f


hang-070214-232647-177.pdf
hang-080214-013356-214.pdf
hang-080214-163033-256.pdf
hang-090214-032319-156.pdf
hang-100214-080937-163.pdf
hang-080214-181527-138.pdf
hang-090214-015108-51.pdf
        These worked out of the box in 1.2:
        http://git.ghostscript.com/?p=mupdf.git;a=commit;h=9d20a4f3a69fdea855f8678c1ad50b5db7472d81
hang-070214-144840-137.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=a985147b714a928646f1b5350bc1d7ae0866c615
hang-070214-163132-74.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=cb6fca717d7deef4de48fcb54d7eefe768f06bb9
hang-070214-214127-114.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=6a0253dab60fb9e94e5d9a21826cf1bc6e83e03a
hang-080214-010754-87.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=a985147b714a928646f1b5350bc1d7ae0866c615
hang-080214-152005-90.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=9f879e14e5645aff6b4be27271f2196c05f5a193
hang-080214-190111-53.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=cb6fca717d7deef4de48fcb54d7eefe768f06bb9
hang-090214-022051-78.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=cb6fca717d7deef4de48fcb54d7eefe768f06bb9
hang-090214-050329-164.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=6a0253dab60fb9e94e5d9a21826cf1bc6e83e03a
hang-090214-143518-64.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=cb6fca717d7deef4de48fcb54d7eefe768f06bb9
hang-090214-181103-111.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=9f879e14e5645aff6b4be27271f2196c05f5a193
hang-090214-193551-230.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=9f879e14e5645aff6b4be27271f2196c05f5a193
hang-090214-211402-4.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=cb6fca717d7deef4de48fcb54d7eefe768f06bb9
hang-090214-230709-184.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=9f879e14e5645aff6b4be27271f2196c05f5a193
hang-100214-053010-269.pdf
        Fixed by http://git.ghostscript.com/?p=mupdf.git;a=commit;h=9a0954091d7108be84f5d9a624d8e7d0d7beced8
Comment 10 Sebastian Rasmussen 2016-03-29 08:20:14 UTC
The PDFs in the attached archive can definitely cause issue with MuPDF 1.2, but several has been fixed since then as mentioned in my previous comment.
Comment 11 Sebastian Rasmussen 2016-03-29 08:29:01 UTC
The last remaining issue, caused by SIGABRT-090214-045131-116.pdf, was to validate the length of an encryption key. This which was fixed today:
http://git.ghostscript.com/?p=mupdf.git;a=commit;h=afef491c2f4651d84315bbaf41daa750854f6fe5