698551 – GSView 6.0 MS Windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to "mupdfnet64!mIncrementalSaveFile+0x193359".

Bug 698551 - GSView 6.0 MS Windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to "mupdfnet64!mIncrementalSaveFile+0x193359".

Summary: GSView 6.0 MS Windows allows attackers to cause a denial of service or possib...

Status:	RESOLVED FIXED

Alias:	None

Product:	Artifex GSview
Classification:	Unclassified
Component:	General (show other bugs)
Version:	unspecified
Hardware:	PC Windows 8

Importance:	P4 normal
Assignee:	Michael Vrhel

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-17 00:05 UTC by WangLin
Modified:	2017-09-30 10:29 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description WangLin 2017-09-17 00:05:15 UTC

Created attachment 14281 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xf257bdd000
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:000007fb`6cd9dc29 rep movs byte ptr [rdi],byte ptr [rsi]
MAJOR_HASH:0x7d032668
MINOR_HASH:0x03023657
STACK_DEPTH:39
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0x193359
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0x83d6c
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0x9d446
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0x9d909
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0x9e44f
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0xa7aa0
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0xa7bd3
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0x430d
STACK_FRAME:mupdfnet64+0x1686
STACK_FRAME:mupdfnet64!mOpenDocument+0x3b
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:System_ni+0x2de04f
STACK_FRAME:clr+0xa7f3
STACK_FRAME:clr+0xa6de
STACK_FRAME:clr!CreateApplicationContext+0x30f0
STACK_FRAME:clr!CreateApplicationContext+0x333d
STACK_FRAME:mscorlib_ni+0xea86e7
STACK_FRAME:mscorlib_ni+0x4a39a5
STACK_FRAME:mscorlib_ni+0x4a3719
STACK_FRAME:mscorlib_ni+0x4d216f
STACK_FRAME:mscorlib_ni+0x4d136a
STACK_FRAME:clr+0xa7f3
STACK_FRAME:clr+0xa6de
STACK_FRAME:clr+0xae76
STACK_FRAME:clr!GetMetaDataInternalInterface+0x31d01
STACK_FRAME:clr+0xc121
STACK_FRAME:clr+0xc0a8
STACK_FRAME:clr+0xc019
STACK_FRAME:clr+0xc15f
STACK_FRAME:clr!GetMetaDataInternalInterface+0x31c8e
STACK_FRAME:clr!GetMetaDataInternalInterface+0x30b26
STACK_FRAME:clr!GetMetaDataInternalInterface+0x30a1a
STACK_FRAME:clr!CopyPDBs+0x44a2
STACK_FRAME:KERNEL32!BaseThreadInitThunk+0x1a
STACK_FRAME:ntdll!RtlUserThreadStart+0x21
INSTRUCTION_ADDRESS:0x000007fb6cd9dc29
INVOKING_STACK_FRAME:0
DESCRIPTION:Read Access Violation on Block Data Move
SHORT_DESCRIPTION:ReadAVonBlockMove
CLASSIFICATION:PROBABLY_EXPLOITABLE
BUG_TITLE:Probably Exploitable - Read Access Violation on Block Data Move starting at mupdfnet64!mIncrementalSaveFile+0x0000000000193359 (Hash=0x7d032668.0x03023657)
EXPLANATION:This is a read access violation in a block data move, and is therefore classified as probably exploitable.

Comment 1 Michael Vrhel 2017-09-21 12:10:03 UTC

This has been fixe and will be in the next release of gsview.