Bug 707621

Summary: Division by zero in pnm_binary_read_image()
Product: MuPDF Reporter: Sebastian Rasmussen <sebastian.rasmussen>
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 1.24.0   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Sebastian Rasmussen 2024-02-28 13:13:11 UTC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51104

https://github.com/dongyuma/sox-defects/blob/main/mupdf-defects.md#4-a-floating-point-exception-divide-by-zero-issue-was-discovered-in-mupdf-in-functon-pnm_binary_read_image-of-load-pnmc-in-line-519

A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in functon pnm_binary_read_image() of load-pnm.c line 527.
Comment 1 Sebastian Rasmussen 2024-03-01 15:09:28 UTC
Fixed in

commit 0c06a4e51519515615f6ab2d5b1f25da6771e1f4
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Fri Mar 1 22:05:33 2024 +0800

    Bug 707621: Add assert ensuring that there is > 0 components.
    
    CVE-2023-51104 reports that pnm_binary_read_image() may end up
    in a division by zero.
    
    After deducing that the issue originates from clang's scan-build-17
    and studying its reported issues, the source code of
    pnm_read_image() and pnm_binary_read_image() were analyzed.
    
    What scan-build-17 fails to realize is that pnm_read_image()
    guarantees that the number of components in the passed colorspace
    is either 1 or 3. The best way to avoid getting similar CVEs
    is to add a redundant assert() for the number of components.
    
    After this scan-build-17's reports about division by zero in
    pnm_binary_read_image() disappear and thus this eliminate
    CVE-2023-51104.