Bug 698539 - mupdf 1.11 windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to a "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016aa61".
Summary: mupdf 1.11 windows allows attackers to cause a denial of service or possibly ...
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: 1.11
Hardware: PC Windows 8
: P4 normal
Assignee: muPDF bugs
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-14 22:53 UTC by WangLin
Modified: 2017-09-30 10:29 UTC (History)
2 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description WangLin 2017-09-14 22:53:41 UTC
Created attachment 14261 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x5c
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:0056aa61 mov ecx,dword ptr [ebx+5ch]
BASIC_BLOCK_INSTRUCTION_COUNT:3
BASIC_BLOCK_INSTRUCTION:0056aa61 mov ecx,dword ptr [ebx+5ch]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ebx
BASIC_BLOCK_INSTRUCTION:0056aa64 test ecx,ecx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ecx
BASIC_BLOCK_INSTRUCTION:0056aa66 je mupdf+0x16aa85 (0056aa85)
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ZeroFlag
MAJOR_HASH:0x6470750b
MINOR_HASH:0x64705e0b
STACK_DEPTH:1
STACK_FRAME:mupdf+0x16aa61
INSTRUCTION_ADDRESS:0x000000000056aa61
INVOKING_STACK_FRAME:0
DESCRIPTION:Data from Faulting Address controls Branch Selection
SHORT_DESCRIPTION:TaintedDataControlsBranchSelection
CLASSIFICATION:UNKNOWN
BUG_TITLE:Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016aa61 (Hash=0x6470750b.0x64705e0b)
EXPLANATION:The data from the faulting address is later used to determine whether or not a branch is taken.
Comment 1 Tor Andersson 2017-09-19 09:09:42 UTC
commit ab1a420613dec93c686acbee2c165274e922f82a
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Sep 19 15:23:04 2017 +0200

    Fix 698539: Don't use xps font if it could not be loaded.
    
    xps_load_links_in_glyphs did not cope with font loading failures.