Bug 698557

Summary: mupdf 1.11 windows allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64LdrpInitialize+0x00000000000008e1".
Product: MuPDF Reporter: WangLin <31060703>
Component: appsAssignee: muPDF bugs <mupdf-bugs>
Status: RESOLVED DUPLICATE QA Contact: Bug traffic <tech>
Severity: normal    
Priority: P4 CC: robin.watts, tor.andersson
Version: 1.11   
Hardware: PC   
OS: Windows 8   
Customer: Word Size: ---

Description WangLin 2017-09-18 22:02:46 UTC
Created attachment 14294 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x0
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
MAJOR_HASH:0x70591803
MINOR_HASH:0x22012e68
STACK_DEPTH:11
STACK_FRAME:wow64!Wow64LdrpInitialize+0x8e1
STACK_FRAME:wow64!Wow64LdrpInitialize+0x9eb
STACK_FRAME:wow64!Wow64LdrpInitialize+0xbbe
STACK_FRAME:wow64!Wow64EmulateAtlThunk+0x1ae7c
STACK_FRAME:wow64!Wow64SystemServiceEx+0xd7
STACK_FRAME:wow64cpu!TurboDispatchJumpAddressEnd+0xb
STACK_FRAME:wow64!Wow64SystemServiceEx+0x26a
STACK_FRAME:wow64!Wow64LdrpInitialize+0x435
STACK_FRAME:ntdll!LdrGetKnownDllSectionHandle+0x1b5
STACK_FRAME:ntdll!WinSqmCheckEscalationSetDWORD+0x12180
STACK_FRAME:ntdll!LdrInitializeThunk+0xe
INSTRUCTION_ADDRESS:0x00000000772ebda1
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV near NULL
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:PROBABLY_EXPLOITABLE
BUG_TITLE:Probably Exploitable - User Mode Write AV near NULL starting at wow64!Wow64LdrpInitialize+0x00000000000008e1 (Hash=0x70591803.0x22012e68)
EXPLANATION:User mode write access violations that are near NULL are probably exploitable.
Comment 1 Tor Andersson 2017-09-19 08:05:11 UTC

*** This bug has been marked as a duplicate of bug 698540 ***