Bug 698699

Summary: mutool v1.11 heap overflow issue 1
Product: MuPDF Reporter: Ziqiang Gu <etovio>
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: major CC: robin.watts, tor.andersson
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Windows NT   
Customer: Word Size: ---
Attachments: POC file of the vulnerability

Description Ziqiang Gu 2017-10-26 00:57:44 UTC 
Created attachment 14417 [details]
POC file of the vulnerability

I discovered several heap overflow vulnerabilities in mutool version 1.11. Attackers may exploit this vulnerabilities to cause denial of service attack or other further attacks such as remote code execution.

These issues seems different because calltracks are various. So I will create different bugs.

**My Enviroment:

ctf@ubuntu:/home/g$ uname -a
Linux ubuntu 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:37:59 UTC 2017 i686 i686 i686 GNU/Linux
ctf@ubuntu:/home/g$ cat /etc/*lease
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"
NAME="Ubuntu Kylin"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Kylin 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety

**Build Information:

ctf@ubuntu:/home/g$ /home/g/mupdf/bin/mutool -v
mutool version 1.11

**ASAN report on heap overflow:

ctf@ubuntu:/home/g$ /home/g/mupdf/bin/mutool clean -gggg -l -a -d -z -f -i heapoverflow/heap-overflow-poc-1 
error: expected object number
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: object missing 'endobj' token
=================================================================
==12789==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3803260 at pc 0x0850fc4e bp 0xbfe1d328 sp 0xbfe1d318
READ of size 4 at 0xb3803260 thread T0
    #0 0x850fc4d  (/home/g/mupdf/bin/mutool+0x850fc4d)
    #1 0x853700d  (/home/g/mupdf/bin/mutool+0x853700d)
    #2 0x853ac7d  (/home/g/mupdf/bin/mutool+0x853ac7d)
    #3 0x843a7c4  (/home/g/mupdf/bin/mutool+0x843a7c4)
    #4 0x80d0653  (/home/g/mupdf/bin/mutool+0x80d0653)
    #5 0x806b76e  (/home/g/mupdf/bin/mutool+0x806b76e)
    #6 0xb6f32275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #7 0x8074650  (/home/g/mupdf/bin/mutool+0x8074650)

0xb3803260 is located 0 bytes to the right of 144-byte region [0xb38031d0,0xb3803260)
allocated by thread T0 here:
    #0 0xb720aae4 in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xc3ae4)
    #1 0x82ef71f  (/home/g/mupdf/bin/mutool+0x82ef71f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/g/mupdf/bin/mutool+0x850fc4d) 
Shadow bytes around the buggy address:
  0x367005f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x36700600: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x36700610: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x36700620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36700630: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x36700640: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x36700650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x36700660: 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fd fd
  0x36700670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x36700680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36700690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12789==ABORTING
ctf@ubuntu:/home/g$
Comment 1 Tor Andersson 2017-11-01 03:21:25 UTC 
For future reference, it would be helpful if you ran ASAN's output through the symbolizer so we can see file names and line numbers rather than random hex addresses.

Putting something like the following in your .bashrc will do it automatically:

export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5
export ASAN_OPTIONS=symbolize=1
Comment 2 Tor Andersson 2017-11-01 03:24:16 UTC 
With mutool clean -gg I get:

WRITE of size 4 at 0x60d00000ce60 thread T0
    #0 0xe724e6 in dowriteobject /home/tor/src/mupdf/source/pdf/pdf-write.c:2162:3
    #1 0xe4ef64 in writeobjects /home/tor/src/mupdf/source/pdf/pdf-write.c:2218:3
    #2 0xe39c3d in do_pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:2937:4
    #3 0xe3c8bd in pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:3078:3
    #4 0xc6743d in pdf_clean_file /home/tor/src/mupdf/source/pdf/pdf-clean-file.c:336:3
    #5 0x5a6526 in pdfclean_main /home/tor/src/mupdf/source/tools/pdfclean.c:94:3
    #6 0x4f6865 in main /home/tor/src/mupdf/source/tools/mutool.c:127:12

With mutool clean -ggg I get:

READ of size 4 at 0x60d00000cf30 thread T0
    #0 0xe462ae in removeduplicateobjs /home/tor/src/mupdf/source/pdf/pdf-write.c:647:8
    #1 0xe37e52 in do_pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:2879:4
    #2 0xe3c8bd in pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:3078:3
    #3 0xc6743d in pdf_clean_file /home/tor/src/mupdf/source/pdf/pdf-clean-file.c:336:3
    #4 0x5a6526 in pdfclean_main /home/tor/src/mupdf/source/tools/pdfclean.c:94:3
    #5 0x4f6865 in main /home/tor/src/mupdf/source/tools/mutool.c:127:12
Comment 3 Robin Watts 2017-11-07 11:26:05 UTC 
I have a fix awaiting review.
Comment 4 Robin Watts 2017-11-08 04:31:18 UTC 
Fixed in:

commit 520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 (golden/master)
Author: Robin Watts <robin.watts@artifex.com>
Date:   Tue Nov 7 19:21:58 2017 +0000

    Bug 689699: Avoid buffer overrun.

    When cleaning a pdf file, various lists (of pdf_xref_len length) are
    defined early on.

    If we trigger a repair during the clean, this can cause pdf_xref_len
    to increase causing an overrun.

    Fix this by watching for changes in the length, and checking accesses
    to the list for validity.

    This also appears to fix bugs 698700-698703.

Thanks for the report!