As disclosed[1] there is a buffer overflow vulnerability in the function parsing code for exponential functions. The original report is cited below. The fix is trivial: check if func->n is >= MAXN after assigning it. From: c (cc.cc) Date: Fri Apr 24 2009 - 16:26:41 CDT The overflow occurs at the following location: mupdf/mupdf/pdf_function.c:1167 obj = fz_dictgets(dict, "C0"); if (fz_isarray(obj)) { func->n = fz_arraylen(obj); for (i = 0; i < func->n; ++i) func->u.e.c0[i] = fz_toreal(fz_arrayget(obj, i)); } func->n is used without being checked first. There are a few integer overflows elsewhere in the code as well. [1] http://archives.neohapsis.com/archives/fulldisclosure/2009-04/0258.html?esohkb
Created attachment 5134 [details] This is the original .pdf that causes the problem.
A patch like the one below ought to fix the problem. I'll provide it for you to pull. / Sebastian --- mupdf2.work.orig/mupdf/pdf_function.c 2009-06-21 23:35:27.000000000 +0200 +++ mupdf2.work.patched/mupdf/pdf_function.c 2009-06-21 23:35:27.000000000 +0200 @@ -1163,6 +1163,8 @@ loadexponentialfunc(pdf_function *func, if (fz_isarray(obj)) { func->n = fz_arraylen(obj); + if (func->n >= MAXN) + return fz_throw("exponential function result array too big"); for (i = 0; i < func->n; ++i) func->u.e.c0[i] = fz_toreal(fz_arrayget(obj, i)); pdf_logrsrc("c0 %d\n", func->n);