Bug 703791

Summary: mutool draw crashes with a specific file
Product: MuPDF Reporter: Xuwei Liu <xuweiliu.cs>
Component: appsAssignee: muPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED QA Contact: Bug traffic <tech>
Severity: major    
Priority: P4 CC: mehmetgelisin
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: poc file

Description Xuwei Liu 2021-04-19 18:53:00 UTC
Created attachment 20930 [details]
poc file

An invalid write makes mutool crashes.

Reproduce: 
./mutool draw poc.txt

Asan output:
==10021==ERROR: AddressSanitizer: SEGV on unknown address 0x00004b808071 (pc 0x7f29cf36d565 bp 0x7ffd3cb64d10 sp 0x7ffd3cb64cc0 T0)
==10021==The signal is caused by a WRITE memory access.
    #0 0x7f29cf36d564  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x26564)
    #1 0x7f29cf4257c2 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7c2)
    #2 0x50cbc8  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x50cbc8)
    #3 0x4cf3d0  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x4cf3d0)
    #4 0x45ba09  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x45ba09)
    #5 0x492686  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x492686)
    #6 0x4849db  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x4849db)
    #7 0x46512a  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x46512a)
    #8 0x4e218c  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x4e218c)
    #9 0x41565b  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x41565b)
    #10 0x41724a  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x41724a)
    #11 0x41addb  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x41addb)
    #12 0x41b51a  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x41b51a)
    #13 0x41da42  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x41da42)
    #14 0x410319  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x410319)
    #15 0x7f29ce5ff83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #16 0x4143e8  (/home/youwei/genpdf/product/mupdf/mupdf/exe_asan/release/mutool+0x4143e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x26564)
==10021==ABORTING
Comment 1 Tor Andersson 2021-04-27 12:08:44 UTC
commit f5712c9949d026e4b891b25837edd2edc166151f
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Apr 20 14:46:48 2021 +0200

    Bug 703791: Stay within hash table max key size in cached color converter.
Comment 2 Mehmet gelisin 2021-09-11 11:28:05 UTC
 Short description: HeapError (10/22)
   Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. http://www-look-4.com/

2. Stack Overflow issue, classified unknown by exploitable.py . I have minimized the testcase to obtain mupdf_stackoverflow.pdf attached, but it doesn't contain pages, so better to reproduce with mudraw instead of mu x11 for example.

crash report from a non minimized testcase:

Faulting Frame: http://www.compilatori.com/ 
   sprintf @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Disassembly:
   0x00007ffff7745cb9: movsxd rdx,edi
   0x00007ffff7745cbc: movsxd rsi,esi
   0x00007ffff7745cbf: movsxd rdi,ecx
   0x00007ffff7745cc2: mov eax,0xea  http://www.wearelondonmade.com/ 
   0x00007ffff7745cc7: syscall
=> 0x00007ffff7745cc9: cmp rax,0xfffffffffffff000
   0x00007ffff7745ccf: ja 0x7ffff7745cea <__GI_raise+90>
   0x00007ffff7745cd1: repz ret
   0x00007ffff7745cd3: nop DWORD PTR [rax+rax*1+0x0]
   0x00007ffff7745cd8: test eax,eax
Stack Head (22 entries): http://www.jopspeech.com/ 
   __GI_raise                @ 0x00007ffff7745cc9: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI_abort                @ 0x00007ffff77490d8: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __libc_message            @ 0x00007ffff7782394: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI___fortify_fail       @ 0x00007ffff7819c9c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) http://joerg.li/ 
   __GI___chk_fail           @ 0x00007ffff7818b60: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   _IO_str_chk_overflow      @ 0x00007ffff7818069: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI__IO_default_xsputn   @ 0x00007ffff778a70c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   _IO_vfprintf_internal     @ 0x00007ffff77597df: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   ___vsprintf_chk           @ 0x00007ffff78180f4: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) http://connstr.net/ 
   ___sprintf_chk            @ 0x00007ffff781804d: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   sprintf                   @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_simple_font_by_n @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_simple_font      @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_font             @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   get_font_info             @ 0x0000000000742632: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_update_text_appearanc @ 0x0000000000745b31: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Registers: http://embermanchester.uk/ 
rax=0x0000000000000000 rbx=0x0000000000000074 rcx=0xffffffffffffffff rdx=0x0000000000000006 
rsi=0x000000000000222e rdi=0x000000000000222e rbp=0x00007fffffff9c80 rsp=0x00007fffffff9968 
 r8=0x00007ffff7885dc0  r9=0x00000000016513c8 r10=0x0000000000000008 r11=0x0000000000000246 
r12=0x00007fffffff9af0 r13=0x0000000000000005 r14=0x0000000000000074 r15=0x0000000000000005 
rip=0x00007ffff7745cc9 efl=0x0000000000000246  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data: http://www.slipstone.co.uk/ 
   Description: Abort signal
   Short description: AbortSignal (20/22)
   Explanation: The target is stopped on a SIGABRT. SIGABRTs are often generated by libc and compiled check-code to indicate potentially exploitable conditions. Unfortunately this command does not yet further analyze these crashes.
---END SUMMARY---
---CRASH SUMMARY---
Filename: 

 Short description: HeapError (10/22) http://www.logoarts.co.uk/ 
   Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.

2. Stack Overflow issue, classified unknown by exploitable.py . I have minimized the testcase to obtain mupdf_stackoverflow.pdf attached, but it doesn't contain pages, so better to reproduce with mudraw instead of mu x11 for example. http://www.acpirateradio.co.uk/ 

crash report from a non minimized testcase:

Faulting Frame:
   sprintf @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Disassembly:
   0x00007ffff7745cb9: movsxd rdx,edi
   0x00007ffff7745cbc: movsxd rsi,esi
   0x00007ffff7745cbf: movsxd rdi,ecx https://waytowhatsnext.com/ 
   0x00007ffff7745cc2: mov eax,0xea
   0x00007ffff7745cc7: syscall
=> 0x00007ffff7745cc9: cmp rax,0xfffffffffffff000
   0x00007ffff7745ccf: ja 0x7ffff7745cea <__GI_raise+90>
   0x00007ffff7745cd1: repz ret
   0x00007ffff7745cd3: nop DWORD PTR [rax+rax*1+0x0]
   0x00007ffff7745cd8: test eax,eax
Stack Head (22 entries):
   __GI_raise                @ 0x00007ffff7745cc9: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI_abort                @ 0x00007ffff77490d8: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __libc_message            @ 0x00007ffff7782394: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) https://www.webb-dev.co.uk/ 
   __GI___fortify_fail       @ 0x00007ffff7819c9c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI___chk_fail           @ 0x00007ffff7818b60: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   _IO_str_chk_overflow      @ 0x00007ffff7818069: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI__IO_default_xsputn   @ 0x00007ffff778a70c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   _IO_vfprintf_internal     @ 0x00007ffff77597df: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   ___vsprintf_chk           @ 0x00007ffff78180f4: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   ___sprintf_chk            @ 0x00007ffff781804d: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   sprintf                   @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_simple_font_by_n @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_simple_font      @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_font             @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   get_font_info             @ 0x0000000000742632: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_update_text_appearanc @ 0x0000000000745b31: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Registers: http://www.iu-bloomington.com/ 
rax=0x0000000000000000 rbx=0x0000000000000074 rcx=0xffffffffffffffff rdx=0x0000000000000006 
rsi=0x000000000000222e rdi=0x000000000000222e rbp=0x00007fffffff9c80 rsp=0x00007fffffff9968 
 r8=0x00007ffff7885dc0  r9=0x00000000016513c8 r10=0x0000000000000008 r11=0x0000000000000246 
r12=0x00007fffffff9af0 r13=0x0000000000000005 r14=0x0000000000000074 r15=0x0000000000000005 
rip=0x00007ffff7745cc9 efl=0x0000000000000246  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data:
   Description: Abort signal
   Short description: AbortSignal (20/22)
   Explanation: The target is stopped on a SIGABRT. SIGABRTs are often generated by libc and compiled check-code to indicate potentially exploitable conditions. Unfortunately this command does not yet further analyze these crashes.
---END SUMMARY---
---CRASH SUMMARY---
Filename: