Created attachment 13322 [details] POC to trigger null pointer dereference (mutool) After some fuzz testing I found a crashing test case. Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642 To reproduce: mutool draw -F svg mupdf_null_ptr_dodrawpage -o /dev/null ASAN: ==18424==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004ee88a bp 0x7ffc140cae50 sp 0x7ffc140ca840 T0) ==18424==The signal is caused by a READ memory access. ==18424==Hint: address points to the zero page. #0 0x4ee889 in dodrawpage XYZ/mupdf/source/tools/mudraw.c:581:8 #1 0x4f38ad in drawpage XYZ/mupdf/source/tools/mudraw.c:1031:3 #2 0x4edab6 in drawrange XYZ/mupdf/source/tools/mudraw.c:1060:6 #3 0x4eb2c9 in mudraw_main XYZ/mupdf/source/tools/mudraw.c:1635:7 #4 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12 #5 0x7fe7241d682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #6 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/tools/mudraw.c:581:8 in dodrawpage ==18424==ABORTING
While the given command caused a SIGSEV which will soon be fixed in 40ac85bfb676bb4373bda4b18f9fd90268c9f1e9 please note that the manpage lists the order of arguments as: mutool info [options] file.pdf [pages] which means that the correct order of arguments really is: mutool draw -F svg -o /dev/null mupdf_null_ptr_dodrawpage