Bug 700342

Summary: mupdf-gl would crash while open the svg file, segmentfault
Product: MuPDF Reporter: kuaicar87
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: mjg, sebastian.rasmussen
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Sample file #1 illustrating the reported issue.
Sample file #2 illustrating the reported issue.

Description kuaicar87 2018-12-05 07:56:59 UTC 
When I tried to open two svg files with the mupdf-gl tool, the tool would crash.
the detailed report can be founded at https://github.com/TeamSeri0us/pocs/tree/master/mupdf/20181203.
Comment 1 Tor Andersson 2019-01-08 15:40:03 UTC 
commit a7f7d91cdff8d303c11d458fa8b802776f73c8cc
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Jan 8 14:47:26 2019 +0100

    Bug 700342: Ignore images without an xlink:href attribute.
Comment 2 Sebastian Rasmussen 2024-09-14 23:54:09 UTC 
Pasting report contents after it was both reported and fixed:


1. fish@ubuntu:~/Desktop/2018-10-10/pdf/mupdf$ ./afl/bin/mupdf-gl out-of-bound-read-poc-2.svg
ASAN:DEADLYSIGNAL
=================================================================
==69945==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8c571827d9 bp 0x7ffea3fa0d50 sp 0x7ffea3fa04b0 T0)
==69945==The signal is caused by a READ memory access.
==69945==Hint: address points to the zero page.
    #0 0x7f8c571827d8  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5a7d8)
    #1 0x55b5924dece2  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x18dce2)
    #2 0x55b59295ec9d  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60dc9d)
    #3 0x55b592961123  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x610123)
    #4 0x55b5925a324e  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x25224e)
    #5 0x55b5927f70f9  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x4a60f9)
    #6 0x55b59252ff5c  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x1def5c)
    #7 0x55b5924f646f  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x1a546f)
    #8 0x7f8c561ebb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x55b5924fe979  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x1ad979)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5a7d8) 
==69945==ABORTING

fish@ubuntu:~/Desktop/2018-10-10/pdf/mupdf$ gdb -q --args ./debug/bin/mupdf-gl out-of-bound-read-poc-2.svg 

198	../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory.
gef➤  bt
#0  __strncmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198
#1  0x00005555556882e0 in svg_run_image (ctx=0x555557f89b10, dev=0x55555802f130, doc=0x555557f89bb0, root=0x555557fd4d40, inherit_state=0x7fffffffd960) at source/svg/svg-run.c:1095
#2  0x0000555555688809 in svg_run_element (ctx=0x555557f89b10, dev=0x55555802f130, doc=0x555557f89bb0, root=0x555557fd4d40, state=0x7fffffffd960) at source/svg/svg-run.c:1166
#3  0x00005555556879d4 in svg_run_svg (ctx=0x555557f89b10, dev=0x55555802f130, doc=0x555557f89bb0, root=0x555557fd4738, inherit_state=0x7fffffffdaa0) at source/svg/svg-run.c:1004
#4  0x0000555555688ca7 in svg_run_document (ctx=0x555557f89b10, doc=0x555557f89bb0, root=0x555557fd4738, dev=0x55555802f130, ctm=...) at source/svg/svg-run.c:1265
#5  0x00005555556833c9 in svg_run_page (ctx=0x555557f89b10, page_=0x555557f2af70, dev=0x55555802f130, ctm=..., cookie=0x0) at source/svg/svg-doc.c:42
#6  0x00005555555c94be in fz_run_page_contents (ctx=0x555557f89b10, page=0x555557f2af70, dev=0x55555802f130, transform=..., cookie=0x0) at source/fitz/document.c:393
#7  0x0000555555637f7e in fz_new_stext_page_from_page (ctx=0x555557f89b10, page=0x555557f2af70, options=0x0) at source/fitz/util.c:324
#8  0x00005555555b3c8f in load_page () at platform/gl/gl-main.c:468
#9  0x00005555555b7799 in main (argc=0x2, argv=0x7fffffffde68) at platform/gl/gl-main.c:1578


 char *href_att = fz_xml_att(root, "xlink:href");

 if (!strncmp(href_att, jpeg_uri, strlen(jpeg_uri)))
                data = href_att + strlen(jpeg_uri);


The value of the href_att pointer is null, which triggered the crash. More details about the svg format can be found at [here](https://www.w3.org/TR/SVG2/linking.html#XLinkRefAttrs).

2. fish@ubuntu:~/Desktop/2018-10-10/pdf/mupdf$ ./afl/bin/mupdf-gl stack-overflow-poc-1.svg
ASAN:DEADLYSIGNAL
=================================================================
==70456==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcd7f05ea8 (pc 0x7f27dac74e6f bp 0x7ffcd7f06710 sp 0x7ffcd7f05e70 T0)
    #0 0x7f27dac74e6e  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e6e)
    #1 0x562cafbd1593  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x742593)
    #2 0x562cafa9b26c  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60c26c)
    #3 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)
    #4 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)
    ......
      #245 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)
    #246 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)
    #247 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)
    #248 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)
    #249 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)
    #250 0x562cafa9bdcc  (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc)

SUMMARY: AddressSanitizer: stack-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e6e) 
==70456==ABORTING

   193	 char *fz_xml_att(fz_xml *item, const char *name)
 →  194	 {
    195	 	struct attribute *att;
    196	 	if (!item)
    197	 		return NULL;
    198	 	for (att = item->atts; att; att = att->next)
    199	 		if (!strcmp(att->name, name))
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "mupdf-gl", stopped, reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[!] Cannot access memory at address 0x7fffff7fefe8
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555556d5aa8 in fz_xml_att (item=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>, name=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>) at source/fitz/xml.c:194
194	{
gef➤  p item
Cannot access memory at address 0x7fffff7fefe8
gef➤  bt 10
#0  0x00005555556d5aa8 in fz_xml_att (item=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>, name=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>) at source/fitz/xml.c:194
#1  0x0000555555686fdb in svg_parse_viewbox (ctx=0x555557f89b10, doc=0x555557f89bb0, node=0x555557fd42d8, state=0x7fffff7ff110) at source/svg/svg-run.c:823
#2  0x0000555555687bd1 in svg_run_use_symbol (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, use=0x555557fd42d8, symbol=0x555557fd4238, inherit_state=0x7fffff7ff2c0) at source/svg/svg-run.c:1026
#3  0x0000555555687f0c in svg_run_use (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, inherit_state=0x7fffff7ff460) at source/svg/svg-run.c:1057
#4  0x0000555555688637 in svg_run_element (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, state=0x7fffff7ff460) at source/svg/svg-run.c:1148
#5  0x0000555555687c3b in svg_run_use_symbol (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, use=0x555557fd42d8, symbol=0x555557fd4238, inherit_state=0x7fffff7ff610) at source/svg/svg-run.c:1030
#6  0x0000555555687f0c in svg_run_use (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, inherit_state=0x7fffff7ff7b0) at source/svg/svg-run.c:1057
#7  0x0000555555688637 in svg_run_element (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, state=0x7fffff7ff7b0) at source/svg/svg-run.c:1148
#8  0x0000555555687c3b in svg_run_use_symbol (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, use=0x555557fd42d8, symbol=0x555557fd4238, inherit_state=0x7fffff7ff960) at source/svg/svg-run.c:1030
#9  0x0000555555687f0c in svg_run_use (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, inherit_state=0x7fffff7ffb00) at source/svg/svg-run.c:1057
(More stack frames follow...)
Comment 3 Sebastian Rasmussen 2024-09-14 23:54:42 UTC 
Created attachment 26042 [details]
Sample file #1 illustrating the reported issue.
Comment 4 Sebastian Rasmussen 2024-09-14 23:54:57 UTC 
Created attachment 26043 [details]
Sample file #2 illustrating the reported issue.