Bug 707996

Attached multiple crash file in zip

is there any update ?

Created attachment 26010 [details]
Addinational execution

root@vmi2106651:~/fuzzing/mupdf/build/release# ./mutool extract /root/mupdf/build/release/out/slave1mutool/crashes/id:000058,sig:11,src:001422,time:1428831+001122,op:splice,rep:32
format error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
syntax error: invalid key in dict
syntax error: invalid key in dict
syntax error: invalid key in dict
syntax error: invalid key in dict
source/pdf/pdf-lex.c:180:9: runtime error: signed integer overflow: 8888888888888888888 * 10 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/pdf/pdf-lex.c:180:9 in
syntax error: invalid key in dict
warning: ignoring object with invalid object number (-974942672 0 R)
warning: invalid indirect reference in dict
syntax error: invalid key in dict
syntax error: invalid key in dict
warning: cannot load object (1 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (1 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (3 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (3 0 R) into cache
syntax error: expected 'R' keyword (5 0 R)
warning: cannot load object (5 0 R) into cache
syntax error: expected 'R' keyword (5 0 R)
warning: cannot load object (5 0 R) into cache
warning: expected 'endobj' or 'stream' keyword (8 0 R)
warning: invalid indirect reference in dict
syntax error: invalid key in dict
warning: cannot load object (11 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (11 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (16 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (16 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (20 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (20 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (21 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (21 0 R) into cache
source/pdf/pdf-object.c:3067:37: runtime error: member access within misaligned address 0x00000000454d for type 'pdf_obj' (aka 'struct pdf_obj'), which requires 2 byte alignment
0x00000000454d: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/pdf/pdf-object.c:3067:37 in
include/mupdf/fitz/context.h:1004:7: runtime error: load of misaligned address 0x00000000454d for type 'int16_t' (aka 'short'), which requires 2 byte alignment
0x00000000454d: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior include/mupdf/fitz/context.h:1004:7 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==822916==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000454d (pc 0x0000009e9f56 bp 0x000000000018 sp 0x7ffc1b01ddc0 T0)
==822916==The signal is caused by a READ memory access.
    #0 0x9e9f56  (/root/fuzzing/mupdf/build/release/mutool+0x9e9f56)
    #1 0x554775  (/root/fuzzing/mupdf/build/release/mutool+0x554775)
    #2 0x554336  (/root/fuzzing/mupdf/build/release/mutool+0x554336)
    #3 0x4ca9c2  (/root/fuzzing/mupdf/build/release/mutool+0x4ca9c2)
    #4 0x7f6d5b75c082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x42943d  (/root/fuzzing/mupdf/build/release/mutool+0x42943d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/root/fuzzing/mupdf/build/release/mutool+0x9e9f56)
==822916==ABORTING

(In reply to sumitp7816 from comment #2)
> is there any update ?

No, none yet. Let me try to verify the crash first.

What version of mupdf was used? 1.24.9? an earlier release? or what git commit did you used? What compiler was used and what version?

I ran id:000000,sig:11,src:000000,time:12142,op:havoc,rep:32 successfully through "mutool extract id:000000,sig:11,src:000000,time:12142,op:havoc,rep:32" where mupdf was compiled by gcc-13 with ASAN from the current git HEAD commit 1d58f734a.

Nvm, with clang-17 and compiling with ASAN in release mode I have reproduced your issue. A variable was not correctly cleared and declared fz_var.

I have a commit pending for this.

We are waiting for your commits.
Additionally please find details for.


URL for installation : https://mupdf.readthedocs.io/en/latest/quick-start-guide.html

git clone --recursive git://git.ghostscript.com/mupdf.git. 
and build command for this make -j$(nproc) HAVE_X11=no HAVE_GLUT=no

and my clang is 

afl-clang-fast++2.59d by <lszekeres@google.com>
clang version 9.0.1-12

Fixed by

commit b5c898a30f068b5342e8263a2cd5b9f0be291aac
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Mon Sep 2 22:06:32 2024 +0200

    Bug 707996: Declare variable fz_var to avoid stale values.
    
    A fuzzed file provoked an ASAN warning when building release mode.
    
    For good measure, also declare a variable in an unrelated function
    in the same tool fz_var.

Hi team any reward for this ?

and can you add cve for this?

any update on this?

Our bug bounty program https://www.ghostscript.com/Bug_bounty_program.html states that we generally pay for patches for nominated bugs, not just bug reports themselves.

Thank you for the clarification. I wanted to highlight that the bug I reported is a valid bug and results in a crash. Given the nature of the issue, could you confirm whether this qualifies for the bounty program and if a patch submission would be required for further consideration? I look forward to your guidance.

Thank you for the clarification. I wanted to highlight that the bug I reported is a valid bug and results in a crash. Given the nature of the issue, could you confirm whether this qualifies for the bounty program and if a patch submission would be required for further consideration? I look forward to your guidance.

any update on this?

No, unfortunately it does not qualify for a bug bounty since a fix for the issue was not provided.

Thank you for your response. I understand that a fix is generally required to qualify for a bounty. However, I wanted to clarify that the issue has now been resolved, and I contributed to addressing it. Given this, I believe it would be appropriate to consider this submission for a bounty.

(In reply to sumitp7816 from comment #17)
> Thank you for your response. I understand that a fix is generally required
> to qualify for a bounty. However, I wanted to clarify that the issue has now
> been resolved, and I contributed to addressing it. Given this, I believe it
> would be appropriate to consider this submission for a bounty.

We appreciate your bug report, and are grateful for your efforts in improving our open source software.

Our bug bounty policy clearly states that we pay for fixes, not just for bug reports themselves.

Further, it is clearly stated that such payments are at our discretion.

I feel Sebastian has been sufficiently clear with you that we do not feel this bug report qualifies for a payment under these terms.

Your repeated posting on this bug has, however, passed the point of reasonable behaviour. Please desist from further postings on this bug.

Once again, we thank you for your contribution.

Hi Team,

I have applied for a CVE and received the CVE number CVE-2024-46657. Please complete the process from your end.

Regards,
Sumit Patel

> I have applied for a CVE and received the CVE number CVE-2024-46657. Please
> complete the process from your end.

I cannot access any information about this CVE number, see https://www.cve.org/CVERecord?id=CVE-2024-46657, so I cannot even verify that it concerns MuPDF.

You cannot access any information about  CVE because it's not published yet

> You cannot access any information about  CVE because it's not published yet

When do you intend to publish it?