Bug 697514

Summary: Null pointer dereference in dodrawpage()
Product: MuPDF Reporter: Kamil Frankowicz <kamil.frankowicz>
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: sebastian.rasmussen
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: POC to trigger null pointer dereference (mutool)

Description Kamil Frankowicz 2017-01-30 06:09:38 UTC 
Created attachment 13322 [details]
POC to trigger null pointer dereference (mutool)

After some fuzz testing I found a crashing test case.

Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642

To reproduce: mutool draw -F svg mupdf_null_ptr_dodrawpage -o /dev/null

ASAN:

==18424==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004ee88a bp 0x7ffc140cae50 sp 0x7ffc140ca840 T0)
==18424==The signal is caused by a READ memory access.
==18424==Hint: address points to the zero page.
    #0 0x4ee889 in dodrawpage XYZ/mupdf/source/tools/mudraw.c:581:8
    #1 0x4f38ad in drawpage XYZ/mupdf/source/tools/mudraw.c:1031:3
    #2 0x4edab6 in drawrange XYZ/mupdf/source/tools/mudraw.c:1060:6
    #3 0x4eb2c9 in mudraw_main XYZ/mupdf/source/tools/mudraw.c:1635:7
    #4 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
    #5 0x7fe7241d682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/tools/mudraw.c:581:8 in dodrawpage
==18424==ABORTING
Comment 1 Sebastian Rasmussen 2017-02-04 09:44:26 UTC 
While the given command caused a SIGSEV which will soon be fixed in 40ac85bfb676bb4373bda4b18f9fd90268c9f1e9 please note that the manpage lists the order of arguments as:

mutool info [options] file.pdf [pages]

which means that the correct order of arguments really is:

mutool draw -F svg -o /dev/null mupdf_null_ptr_dodrawpage