Bug 699685

Summary:	MuPDF 1.13.0 arry index underflow
Product:	MuPDF	Reporter:	Krace <merc.ouc>
Component:	apps	Assignee:	MuPDF bugs <mupdf-bugs>
Status:	RESOLVED FIXED
Severity:	normal	CC:	carnil, jb1910393, mjg, tor.andersson
Priority:	P4
Version:	master
Hardware:	PC
OS:	Linux
Customer:		Word Size:	---
Attachments:	the poc file

Description Krace 2018-08-29 06:22:09 UTC

Comment 1 Krace 2018-08-29 06:23:27 UTC

Created attachment 15533 [details]
the poc file

Comment 2 Krace 2018-08-29 06:23:52 UTC

In Mupdf 1.13,the fz_append_byte function in source/fitz/buffer.c allows remote attackers to cause a denial of service(segmentation fault)via a crafted pdf file.
The main cause is that the pdf_dev_alpha function in source/pdf/pdf-device.c use `#define CURRENT_GSTATE(pdev) (&(pdev)->gstates[(pdev)->num_gstates-1])` to get the gs pointer,however,the pdev->num_gstates may become zero(just the crafted poc file did).The pdev->gstates[-1]->buf is NULL,which will cause the program to crash.
In fz_append_byte `if(buf->len + 1 > buf->cap)` where the buf is NULL.

Here is the back trace in ASAN mode:
```
#0  0x0000000000429d23 in fz_append_byte (ctx=0x601c0000df60, buf=0x0, val=0x2f) at source/fitz/buffer.c:244
#1  0x000000000042a1a0 in fz_append_emit (ctx=0x601c0000df60, buffer=0x0, c=0x2f) at source/fitz/buffer.c:364
#2  0x000000000049e750 in fmtputc (out=0x7fffffffceb0, c=0x2f) at source/fitz/printf.c:35
#3  0x00000000004a0126 in fz_format_string (ctx=0x601c0000df60, user=0x0, emit=0x42a177 <fz_append_emit>,
    fmt=0x76f458 "Alp%d gs\n", args=0x7fffffffcf28) at source/fitz/printf.c:453
#4  0x000000000042a257 in fz_append_printf (ctx=0x601c0000df60, buffer=0x0, fmt=0x76f457 "/Alp%d gs\n")
    at source/fitz/buffer.c:372
#5  0x00000000004d3e2b in pdf_dev_alpha (ctx=0x601c0000df60, pdev=0x60380000f080, alpha=1, stroke=0x1)
    at source/pdf/pdf-device.c:331
#6  0x00000000004d5277 in pdf_dev_stroke_path (ctx=0x601c0000df60, dev=0x60380000f080, path=0x600c0000a4c0,
    stroke=0x601e0000ed70, ctm=..., colorspace=0x602c0000fe00, color=0x60940000a6bc, alpha=1, color_params=0x60940000a6b4)
    at source/pdf/pdf-device.c:656
#7  0x00000000004387a4 in fz_stroke_path (ctx=0x601c0000df60, dev=0x60380000f080, path=0x600c0000a4c0,
    stroke=0x601e0000ed70, ctm=..., colorspace=0x602c0000fe00, color=0x60940000a6bc, alpha=1, color_params=0x60940000a6b4)
    at source/fitz/device.c:133
#8  0x0000000000570e15 in pdf_show_path (ctx=0x601c0000df60, pr=0x60400000fc80, doclose=0x0, dofill=0x0, dostroke=0x1,
    even_odd=0x0) at source/pdf/pdf-op-run.c:695
#9  0x00000000005742f9 in pdf_run_S (ctx=0x601c0000df60, proc=0x60400000fc80) at source/pdf/pdf-op-run.c:1627
#10 0x0000000000561a67 in pdf_process_keyword (ctx=0x601c0000df60, proc=0x60400000fc80, csi=0x7fffffffd6d0,
    stm=0x601000007ba0, word=0x7fffffffd5c8 "S") at source/pdf/pdf-interpret.c:622
#11 0x00000000005633d6 in pdf_process_stream (ctx=0x601c0000df60, proc=0x60400000fc80, csi=0x7fffffffd6d0,
    stm=0x601000007ba0) at source/pdf/pdf-interpret.c:937
#12 0x000000000056371a in pdf_process_contents (ctx=0x601c0000df60, proc=0x60400000fc80, doc=0x60a200012800,
    rdb=0x600600004ed0, stmobj=0x600600004db0, cookie=0x0) at source/pdf/pdf-interpret.c:1031
#13 0x00000000004f4643 in pdf_run_page_contents_with_usage (ctx=0x601c0000df60, doc=0x60a200012800, page=0x601a0000cea0,
    dev=0x60380000f080, ctm=..., usage=0x788390 "View", cookie=0x0) at source/pdf/pdf-run.c:100
#14 0x00000000004f47c2 in pdf_run_page_contents (ctx=0x601c0000df60, page=0x601a0000cea0, dev=0x60380000f080, ctm=...,
    cookie=0x0) at source/pdf/pdf-run.c:129
#15 0x000000000043ae95 in fz_run_page_contents (ctx=0x601c0000df60, page=0x601a0000cea0, dev=0x60380000f080, transform=...,
    cookie=0x0) at source/fitz/document.c:375
#16 0x000000000043afed in fz_run_page (ctx=0x601c0000df60, page=0x601a0000cea0, dev=0x60380000f080, transform=...,
    cookie=0x0) at source/fitz/document.c:407
#17 0x0000000000402def in runpage (number=0x1) at source/tools/muconvert.c:80
#18 0x0000000000402ecb in runrange (range=0x710f64 "") at source/tools/muconvert.c:103
#19 0x0000000000403436 in muconvert_main (argc=0x4, argv=0x7fffffffde30) at source/tools/muconvert.c:185
#20 0x0000000000402af9 in main (argc=0x5, argv=0x7fffffffde28) at source/tools/mutool.c:132
#21 0x00007ffff4578830 in __libc_start_main (main=0x40286f <main>, argc=0x5, argv=0x7fffffffde28, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde18) at ../csu/libc-start.c:291
#22 0x0000000000402739 in _start ()
```
how:
./mutool convert -o out.pdf poc1.pdf

Comment 3 Tor Andersson 2018-11-07 14:25:14 UTC

Fixed in commit 38f883fe129a5e89306252a4676eaaf4bc968824 (refs/bisect/bad)
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Mon Oct 22 17:16:35 2018 +0200

    Fix text used as clip mask in pdfwrite device.
    
    Push the clip state, and pass the correct text rendering mode state.

Comment 4 Salvatore Bonaccorso 2019-03-15 21:47:25 UTC

Hi

When build with -O2 apparently the fix is ineffective. See https://bugs.debian.org/924351 . What is missing apart of cherry-picking 38f883fe129a5e89306252a4676eaaf4bc968824 to address CVE-2018-16648?

Regards,
Salvatore

Comment 5 Salvatore Bonaccorso 2019-03-15 22:01:24 UTC

Ok ignore the last comment, the issue seen was caused by the missing commit fa4cdfca9ec3034dbe54e1cb08c8b97e9ebed46d