698558 – mupdf 1.11 windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to a "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016cb4f".

Bug 698558 - mupdf 1.11 windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to a "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016cb4f".

Summary: mupdf 1.11 windows allows attackers to cause a denial of service or possibly ...

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	mupdf (show other bugs)
Version:	1.11
Hardware:	PC Windows 8

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-18 22:04 UTC by WangLin
Modified:	2017-09-30 10:30 UTC (History)
CC List:	2 users (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description WangLin 2017-09-18 22:04:58 UTC

Created attachment 14295 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x0
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:0056cb4f repe cmps byte ptr [esi],byte ptr es:[edi]
BASIC_BLOCK_INSTRUCTION_COUNT:2
BASIC_BLOCK_INSTRUCTION:0056cb4f repe cmps byte ptr [esi],byte ptr es:[edi]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ecx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:edi
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:esi
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ZeroFlag
BASIC_BLOCK_INSTRUCTION:0056cb51 jne mupdf+0x16cb80 (0056cb80)
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ZeroFlag
MAJOR_HASH:0x59141949
MINOR_HASH:0x5914662f
STACK_DEPTH:3
STACK_FRAME:mupdf+0x16cb4f
STACK_FRAME:USER32!GetWindowThreadProcessId+0x127
STACK_FRAME:USER32!GetClassLongW+0x3a
INSTRUCTION_ADDRESS:0x000000000056cb4f
INVOKING_STACK_FRAME:0
DESCRIPTION:Data from Faulting Address controls Branch Selection
SHORT_DESCRIPTION:TaintedDataControlsBranchSelection
CLASSIFICATION:UNKNOWN
BUG_TITLE:Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016cb4f (Hash=0x59141949.0x5914662f)
EXPLANATION:The data from the faulting address is later used to determine whether or not a branch is taken.

Comment 1 Tor Andersson 2017-09-19 09:10:56 UTC

commit 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Sep 19 17:17:12 2017 +0200

    Fix 698558: Handle non-tags in tag name comparisons.
    
    Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.