| Summary: | mupdf 1.11 windows allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64LdrpInitialize+0x00000000000008e1". | ||
|---|---|---|---|
| Product: | MuPDF | Reporter: | WangLin <31060703> |
| Component: | apps | Assignee: | MuPDF bugs <mupdf-bugs> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | CC: | robin.watts, tor.andersson |
| Priority: | P4 | ||
| Version: | 1.11 | ||
| Hardware: | PC | ||
| OS: | Windows 8 | ||
| Customer: | Word Size: | --- | |
*** This bug has been marked as a duplicate of bug 698540 *** |
Created attachment 14294 [details] Proof of concept !exploitable -m IDENTITY:HostMachine\HostUser PROCESSOR:X64 CLASS:USER QUALIFIER:USER_PROCESS EVENT:DEBUG_EVENT_EXCEPTION EXCEPTION_FAULTING_ADDRESS:0x0 EXCEPTION_CODE:0xC0000005 EXCEPTION_LEVEL:SECOND_CHANCE EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION EXCEPTION_SUBTYPE:WRITE MAJOR_HASH:0x70591803 MINOR_HASH:0x22012e68 STACK_DEPTH:11 STACK_FRAME:wow64!Wow64LdrpInitialize+0x8e1 STACK_FRAME:wow64!Wow64LdrpInitialize+0x9eb STACK_FRAME:wow64!Wow64LdrpInitialize+0xbbe STACK_FRAME:wow64!Wow64EmulateAtlThunk+0x1ae7c STACK_FRAME:wow64!Wow64SystemServiceEx+0xd7 STACK_FRAME:wow64cpu!TurboDispatchJumpAddressEnd+0xb STACK_FRAME:wow64!Wow64SystemServiceEx+0x26a STACK_FRAME:wow64!Wow64LdrpInitialize+0x435 STACK_FRAME:ntdll!LdrGetKnownDllSectionHandle+0x1b5 STACK_FRAME:ntdll!WinSqmCheckEscalationSetDWORD+0x12180 STACK_FRAME:ntdll!LdrInitializeThunk+0xe INSTRUCTION_ADDRESS:0x00000000772ebda1 INVOKING_STACK_FRAME:0 DESCRIPTION:User Mode Write AV near NULL SHORT_DESCRIPTION:WriteAV CLASSIFICATION:PROBABLY_EXPLOITABLE BUG_TITLE:Probably Exploitable - User Mode Write AV near NULL starting at wow64!Wow64LdrpInitialize+0x00000000000008e1 (Hash=0x70591803.0x22012e68) EXPLANATION:User mode write access violations that are near NULL are probably exploitable.