Bug 696941 - mupdf use after free
Summary: mupdf use after free
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: fuzzing (show other bugs)
Version: master
Hardware: PC All
: P4 normal
Assignee: muPDF bugs
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-21 06:40 UTC by Marco Grassi
Modified: 2021-09-11 11:28 UTC (History)
3 users (show)

See Also:
Customer:
Word Size: ---


Attachments
pdf reproducer for uaf (9.84 KB, application/pdf)
2016-07-21 06:40 UTC, Marco Grassi
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marco Grassi 2016-07-21 06:40:02 UTC
Created attachment 12709 [details]
pdf reproducer for uaf

Hi, I would like to report a use after free in mupdf,

you can find the reproducer attached, and here a partially symbolicated ASAN report.

You can retrigger it building the master branch with ASAN and using the pdf attached, mucrash1.pdf

Marco

----

➜  mupdf ./mupdf_debug/build/debug/mupdf-x11 mucrash1.pdf 2>&1 | asan_symbolize-3.8 
warning: broken xref section, proceeding anyway.
=================================================================
==24575==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700000fda8 at pc 0x0000006b0a54 bp 0x7ffcb040dbb0 sp 0x7ffcb040dba8
READ of size 4 at 0x61700000fda8 thread T0
    #0 0x6b0a53 in pdf_load_xref /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1188
    #1 0x6b0a53 in ?? ??:0
    #2 0x6aac73 in pdf_init_document /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1440
    #3 0x6aac73 in ?? ??:0
    #4 0x6ad4ae in pdf_open_document /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:2347
    #5 0x6ad4ae in ?? ??:0
    #6 0x5183d2 in fz_open_document /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/document.c:129
    #7 0x5183d2 in ?? ??:0
    #8 0x4fbb2b in pdfapp_open_progressive /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:317
    #9 0x4fbb2b in ?? ??:0
    #10 0x4fb708 in pdfapp_open /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:213
    #11 0x4fb708 in ?? ??:0
    #12 0x4f01df in main /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/x11_main.c:888
    #13 0x4f01df in ?? ??:0
    #14 0x7f6b723ef82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x7f6b723ef82f in ?? ??:0
    #16 0x41ad98 in _start ??:?
    #17 0x41ad98 in ?? ??:0

0x61700000fda8 is located 296 bytes inside of 768-byte region [0x61700000fc80,0x61700000ff80)
freed by thread T0 here:
    #0 0x4bad40 in __interceptor_cfree.localalias.0 asan_malloc_linux.cc.o:?
    #1 0x4bad40 in ?? ??:0
    #2 0x516018 in fz_free_default /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:225
    #3 0x516018 in ?? ??:0

previously allocated by thread T0 here:
    #0 0x4baec8 in malloc ??:?
    #1 0x4baec8 in ?? ??:0
    #2 0x515f68 in fz_malloc_default /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:213
    #3 0x515f68 in ?? ??:0
    #4 0x6b9aae in pdf_xref_find_subsection /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:740
    #5 0x6b9aae in ?? ??:0

SUMMARY: AddressSanitizer: heap-use-after-free (/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/build/debug/mupdf-x11+0x6b0a53)
Shadow bytes around the buggy address:
  0x0c2e7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff9fb0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24575==ABORTING
Comment 1 Robin Watts 2016-07-22 03:59:22 UTC
Fixed in:

commit fa1936405b6a84e5c9bb440912c23d532772f958
Author: Robin Watts <robin.watts@artifex.com>
Date:   Thu Jul 21 15:39:11 2016 +0100

    Bug 696941: Fix use after free.

    The file is HORRIBLY corrupt, and triggers Sophos to think it's
    PDF malware (which it isn't). It does however trigger a use
    after free, worked around here.


Thanks!
Comment 2 Mehmet gelisin 2021-09-11 11:28:13 UTC
Here's ASAN report.

==9722==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000400 (pc 0x5622f5d5279a bp 0x7ffeec399370 sp 0x7ffeec399270 T0)
==9722==The signal is caused by a READ memory access. http://www-look-4.com/
==9722==Hint: address points to the zero page.
    #0 0x5622f5d52799 in TIFFFindField tiff//libtiff/tif_dirinfo.c:513
    #1 0x5622f5d45fce in OkToChangeTag tiff//libtiff/tif_dir.c:762
    #2 0x5622f5d4685a in TIFFVSetField tiff//libtiff/tif_dir.c:853
    #3 0x5622f5d462e6 in TIFFSetField tiff//libtiff/tif_dir.c:798
    #4 0x5622f5e343c5 in tiff_set_fields_for_printer devices/gdevtifs.c:380
    #5 0x5622f604f45a in tiffsep_print_page devices/gdevtsep.c:2390  http://www.compilatori.com/ 
    #6 0x5622f5bf61c2 in gx_default_print_page_copies base/gdevprn.c:1231
    #7 0x5622f5bf5b91 in gdev_prn_output_page_aux base/gdevprn.c:1133
    #8 0x5622f5bf5e5a in gdev_prn_output_page_seekable base/gdevprn.c:1175
    #9 0x5622f62d371a in gs_output_page base/gsdevice.c:212
    #10 0x5622f6932cc3 in zoutputpage psi/zdevice.c:416 http://www.wearelondonmade.com/
    #11 0x5622f684fa2f in do_call_operator psi/interp.c:86
    #12 0x5622f68591ae in interp psi/interp.c:1300
    #13 0x5622f685157c in gs_call_interp psi/interp.c:520
    #14 0x5622f6850c21 in gs_interpret psi/interp.c:477
    #15 0x5622f6825178 in gs_main_interpret psi/imain.c:253 http://www.jopspeech.com/ 
    #16 0x5622f682862d in gs_main_run_string_end psi/imain.c:791
    #17 0x5622f6827ff2 in gs_main_run_string_with_length psi/imain.c:735
    #18 0x5622f6827f64 in gs_main_run_string psi/imain.c:716
    #19 0x5622f6834c28 in run_string psi/imainarg.c:1117
    #20 0x5622f68349cb in runarg psi/imainarg.c:1086
    #21 0x5622f683424a in argproc psi/imainarg.c:1008
    #22 0x5622f682ea16 in gs_main_init_with_args01 psi/imainarg.c:241
    #23 0x5622f682ee7a in gs_main_init_with_args psi/imainarg.c:288
    #24 0x5622f683a3aa in psapi_init_with_args psi/psapi.c:272
    #25 0x5622f6a099c9 in gsapi_init_with_args psi/iapi.c:148
    #26 0x5622f55da6b8 in main psi/gs.c:95 http://joerg.li/ 
    #27 0x7f2d4330eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #28 0x5622f55da459 in _start (gs+0x36c459)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV tiff//libtiff/tif_dirinfo.c:513 in TIFFFindField
Here's ASAN report.
 http://connstr.net/ 
==9722==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000400 (pc 0x5622f5d5279a bp 0x7ffeec399370 sp 0x7ffeec399270 T0)
==9722==The signal is caused by a READ memory access.
==9722==Hint: address points to the zero page.
    #0 0x5622f5d52799 in TIFFFindField tiff//libtiff/tif_dirinfo.c:513
    #1 0x5622f5d45fce in OkToChangeTag tiff//libtiff/tif_dir.c:762
    #2 0x5622f5d4685a in TIFFVSetField tiff//libtiff/tif_dir.c:853 http://embermanchester.uk/ 
    #3 0x5622f5d462e6 in TIFFSetField tiff//libtiff/tif_dir.c:798
    #4 0x5622f5e343c5 in tiff_set_fields_for_printer devices/gdevtifs.c:380
    #5 0x5622f604f45a in tiffsep_print_page devices/gdevtsep.c:2390
    #6 0x5622f5bf61c2 in gx_default_print_page_copies base/gdevprn.c:1231
    #7 0x5622f5bf5b91 in gdev_prn_output_page_aux base/gdevprn.c:1133
    #8 0x5622f5bf5e5a in gdev_prn_output_page_seekable base/gdevprn.c:1175
    #9 0x5622f62d371a in gs_output_page base/gsdevice.c:212 http://www.slipstone.co.uk/ 
    #10 0x5622f6932cc3 in zoutputpage psi/zdevice.c:416
    #11 0x5622f684fa2f in do_call_operator psi/interp.c:86
    #12 0x5622f68591ae in interp psi/interp.c:1300
    #13 0x5622f685157c in gs_call_interp psi/interp.c:520
    #14 0x5622f6850c21 in gs_interpret psi/interp.c:477
    #15 0x5622f6825178 in gs_main_interpret psi/imain.c:253
    #16 0x5622f682862d in gs_main_run_string_end psi/imain.c:791
    #17 0x5622f6827ff2 in gs_main_run_string_with_length psi/imain.c:735
    #18 0x5622f6827f64 in gs_main_run_string psi/imain.c:716
    #19 0x5622f6834c28 in run_string psi/imainarg.c:1117 http://www.logoarts.co.uk/ 
    #20 0x5622f68349cb in runarg psi/imainarg.c:1086
    #21 0x5622f683424a in argproc psi/imainarg.c:1008
    #22 0x5622f682ea16 in gs_main_init_with_args01 psi/imainarg.c:241
    #23 0x5622f682ee7a in gs_main_init_with_args psi/imainarg.c:288
    #24 0x5622f683a3aa in psapi_init_with_args psi/psapi.c:272
    #25 0x5622f6a099c9 in gsapi_init_with_args psi/iapi.c:148 http://www.acpirateradio.co.uk/ 
    #26 0x5622f55da6b8 in main psi/gs.c:95
    #27 0x7f2d4330eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #28 0x5622f55da459 in _start (gs+0x36c459)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV tiff//libtiff/tif_dirinfo.c:513 in TIFFFindField

#13 0x5622f685157c in gs_call_interp psi/interp.c:520 https://waytowhatsnext.com/ 
    #14 0x5622f6850c21 in gs_interpret psi/interp.c:477
    #15 0x5622f6825178 in gs_main_interpret psi/imain.c:253
    #16 0x5622f682862d in gs_main_run_string_end psi/imain.c:791
    #17 0x5622f6827ff2 in gs_main_run_string_with_length psi/imain.c:735
    #18 0x5622f6827f64 in gs_main_run_string psi/imain.c:716
    #19 0x5622f6834c28 in run_string psi/imainarg.c:1117 https://www.webb-dev.co.uk/ 
    #20 0x5622f68349cb in runarg psi/imainarg.c:1086
    #21 0x5622f683424a in argproc psi/imainarg.c:1008
    #22 0x5622f682ea16 in gs_main_init_with_args01 psi/imainarg.c:241
    #23 0x5622f682ee7a in gs_main_init_with_args psi/imainarg.c:288
    #24 0x5622f683a3aa in psapi_init_with_args psi/psapi.c:272
    #25 0x5622f6a099c9 in gsapi_init_with_args psi/iapi.c:148
    #26 0x5622f55da6b8 in main psi/gs.c:95
    #27 0x7f2d4330eb96 in __libc_start_main (/lib/x86_64-linux- gnu/libc.so.6+0x21b96) http://www.iu-bloomington.com/ 
    #28 0x5622f55da459 in _start (gs+0x36c459)