Summary: | MuPDF 1.13.0 arry index underflow | ||
---|---|---|---|
Product: | MuPDF | Reporter: | Krace <merc.ouc> |
Component: | apps | Assignee: | MuPDF bugs <mupdf-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | carnil, jb1910393, mjg, tor.andersson |
Priority: | P4 | ||
Version: | master | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- | |
Attachments: | the poc file |
Description
Krace
2018-08-29 06:22:09 UTC
Created attachment 15533 [details]
the poc file
In Mupdf 1.13,the fz_append_byte function in source/fitz/buffer.c allows remote attackers to cause a denial of service(segmentation fault)via a crafted pdf file. The main cause is that the pdf_dev_alpha function in source/pdf/pdf-device.c use `#define CURRENT_GSTATE(pdev) (&(pdev)->gstates[(pdev)->num_gstates-1])` to get the gs pointer,however,the pdev->num_gstates may become zero(just the crafted poc file did).The pdev->gstates[-1]->buf is NULL,which will cause the program to crash. In fz_append_byte `if(buf->len + 1 > buf->cap)` where the buf is NULL. Here is the back trace in ASAN mode: ``` #0 0x0000000000429d23 in fz_append_byte (ctx=0x601c0000df60, buf=0x0, val=0x2f) at source/fitz/buffer.c:244 #1 0x000000000042a1a0 in fz_append_emit (ctx=0x601c0000df60, buffer=0x0, c=0x2f) at source/fitz/buffer.c:364 #2 0x000000000049e750 in fmtputc (out=0x7fffffffceb0, c=0x2f) at source/fitz/printf.c:35 #3 0x00000000004a0126 in fz_format_string (ctx=0x601c0000df60, user=0x0, emit=0x42a177 <fz_append_emit>, fmt=0x76f458 "Alp%d gs\n", args=0x7fffffffcf28) at source/fitz/printf.c:453 #4 0x000000000042a257 in fz_append_printf (ctx=0x601c0000df60, buffer=0x0, fmt=0x76f457 "/Alp%d gs\n") at source/fitz/buffer.c:372 #5 0x00000000004d3e2b in pdf_dev_alpha (ctx=0x601c0000df60, pdev=0x60380000f080, alpha=1, stroke=0x1) at source/pdf/pdf-device.c:331 #6 0x00000000004d5277 in pdf_dev_stroke_path (ctx=0x601c0000df60, dev=0x60380000f080, path=0x600c0000a4c0, stroke=0x601e0000ed70, ctm=..., colorspace=0x602c0000fe00, color=0x60940000a6bc, alpha=1, color_params=0x60940000a6b4) at source/pdf/pdf-device.c:656 #7 0x00000000004387a4 in fz_stroke_path (ctx=0x601c0000df60, dev=0x60380000f080, path=0x600c0000a4c0, stroke=0x601e0000ed70, ctm=..., colorspace=0x602c0000fe00, color=0x60940000a6bc, alpha=1, color_params=0x60940000a6b4) at source/fitz/device.c:133 #8 0x0000000000570e15 in pdf_show_path (ctx=0x601c0000df60, pr=0x60400000fc80, doclose=0x0, dofill=0x0, dostroke=0x1, even_odd=0x0) at source/pdf/pdf-op-run.c:695 #9 0x00000000005742f9 in pdf_run_S (ctx=0x601c0000df60, proc=0x60400000fc80) at source/pdf/pdf-op-run.c:1627 #10 0x0000000000561a67 in pdf_process_keyword (ctx=0x601c0000df60, proc=0x60400000fc80, csi=0x7fffffffd6d0, stm=0x601000007ba0, word=0x7fffffffd5c8 "S") at source/pdf/pdf-interpret.c:622 #11 0x00000000005633d6 in pdf_process_stream (ctx=0x601c0000df60, proc=0x60400000fc80, csi=0x7fffffffd6d0, stm=0x601000007ba0) at source/pdf/pdf-interpret.c:937 #12 0x000000000056371a in pdf_process_contents (ctx=0x601c0000df60, proc=0x60400000fc80, doc=0x60a200012800, rdb=0x600600004ed0, stmobj=0x600600004db0, cookie=0x0) at source/pdf/pdf-interpret.c:1031 #13 0x00000000004f4643 in pdf_run_page_contents_with_usage (ctx=0x601c0000df60, doc=0x60a200012800, page=0x601a0000cea0, dev=0x60380000f080, ctm=..., usage=0x788390 "View", cookie=0x0) at source/pdf/pdf-run.c:100 #14 0x00000000004f47c2 in pdf_run_page_contents (ctx=0x601c0000df60, page=0x601a0000cea0, dev=0x60380000f080, ctm=..., cookie=0x0) at source/pdf/pdf-run.c:129 #15 0x000000000043ae95 in fz_run_page_contents (ctx=0x601c0000df60, page=0x601a0000cea0, dev=0x60380000f080, transform=..., cookie=0x0) at source/fitz/document.c:375 #16 0x000000000043afed in fz_run_page (ctx=0x601c0000df60, page=0x601a0000cea0, dev=0x60380000f080, transform=..., cookie=0x0) at source/fitz/document.c:407 #17 0x0000000000402def in runpage (number=0x1) at source/tools/muconvert.c:80 #18 0x0000000000402ecb in runrange (range=0x710f64 "") at source/tools/muconvert.c:103 #19 0x0000000000403436 in muconvert_main (argc=0x4, argv=0x7fffffffde30) at source/tools/muconvert.c:185 #20 0x0000000000402af9 in main (argc=0x5, argv=0x7fffffffde28) at source/tools/mutool.c:132 #21 0x00007ffff4578830 in __libc_start_main (main=0x40286f <main>, argc=0x5, argv=0x7fffffffde28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde18) at ../csu/libc-start.c:291 #22 0x0000000000402739 in _start () ``` how: ./mutool convert -o out.pdf poc1.pdf Fixed in commit 38f883fe129a5e89306252a4676eaaf4bc968824 (refs/bisect/bad) Author: Tor Andersson <tor.andersson@artifex.com> Date: Mon Oct 22 17:16:35 2018 +0200 Fix text used as clip mask in pdfwrite device. Push the clip state, and pass the correct text rendering mode state. Hi When build with -O2 apparently the fix is ineffective. See https://bugs.debian.org/924351 . What is missing apart of cherry-picking 38f883fe129a5e89306252a4676eaaf4bc968824 to address CVE-2018-16648? Regards, Salvatore Ok ignore the last comment, the issue seen was caused by the missing commit fa4cdfca9ec3034dbe54e1cb08c8b97e9ebed46d |