Created attachment 14644 [details] Analysis and poc There is an address-not-addressable bug in pdf_read_new_xref function. Call trace: ./mutool merge input1.pdf merge_crash1 out.pdf error: expected 'obj' keyword (0 65535 ?) warning: trying to repair broken xref warning: repairing PDF document warning: ignoring object with invalid object number (0 0 R) warning: ignoring object with invalid object number (0 59 R) warning: expected 'endobj' or 'stream' keyword (32 0 R) ASAN:DEADLYSIGNAL ================================================================= ==20654==ERROR: AddressSanitizer: SEGV on unknown address 0x61f400003c60 (pc 0x0000008708ed bp 0x7ffc8c65c9e0 sp 0x7ffc8c65c5e0 T0) #0 0x8708ec (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8708ec) #1 0x86e0a8 (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x86e0a8) #2 0x86da17 (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x86da17) #3 0x86cfb9 (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x86cfb9) #4 0x8679cd (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8679cd) #5 0x8634bb (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8634bb) #6 0x864a82 (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x864a82) #7 0x53d91a (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x53d91a) #8 0x4eb9af (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x4eb9af) #9 0x7f221c05482f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x419bc8 (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x419bc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8708ec) ==20654==ABORTING Program received signal SIGSEGV, Segmentation fault. 0x000000000050c189 in pdf_read_new_xref (ctx=0x2a17010, doc=0x2a3e8d0, buf=0x2a3ea50) at source/pdf/pdf-xref.c:1046 1046 entry->ofs = ofs; (gdb) p entry->ofs Cannot access memory at address 0x1402a9a380 (gdb) bt #0 0x000000000050c189 in pdf_read_new_xref (ctx=0x2a17010, doc=0x2a3e8d0, buf=0x2a3ea50) at source/pdf/pdf-xref.c:1046 #1 0x000000000050c348 in pdf_read_xref (ctx=0x2a17010, doc=0x2a3e8d0, ofs=116, buf=0x2a3ea50) at source/pdf/pdf-xref.c:1082 #2 0x000000000050c4ee in read_xref_section (ctx=0x2a17010, doc=0x2a3e8d0, ofs=116, buf=0x2a3ea50, offsets=0x7fffffffe070) at source/pdf/pdf-xref.c:1128 #3 0x000000000050c70a in pdf_read_xref_sections (ctx=0x2a17010, doc=0x2a3e8d0, ofs=116, buf=0x2a3ea50, read_previous=1) at source/pdf/pdf-xref.c:1177 #4 0x000000000050c8f3 in pdf_load_xref (ctx=0x2a17010, doc=0x2a3e8d0, buf=0x2a3ea50) at source/pdf/pdf-xref.c:1233 #5 0x000000000050d093 in pdf_init_document (ctx=0x2a17010, doc=0x2a3e8d0) at source/pdf/pdf-xref.c:1371 #6 0x000000000050f94c in pdf_open_document (ctx=0x2a17010, filename=0x7fffffffe66c "merge_crash1") at source/pdf/pdf-xref.c:2285 #7 0x00000000004231e7 in pdfmerge_main (argc=4, argv=0x7fffffffe390) at source/tools/pdfmerge.c:155 #8 0x0000000000402c2e in main (argc=5, argv=0x7fffffffe388) at source/tools/mutool.c:127 See the attachment if you want to get detailed information of the vulnerability .
For this issue, CVE-2018-6192 has been assigned.
This issue was disappeared when the commit below was introduced. The reason for this is that the changed lexing changes how the document is parsed and execution takes a different path that no longer exhibits the issue. ==== commit fa9cd085533f68367c299e058ab3fbb7ad8a2dc6 Author: Tor Andersson <tor.andersson@artifex.com> Date: Fri Dec 1 16:07:23 2017 +0100 Fix 698785: Catch malformed numbers in PDF lexical scanner. Return error tokens when parsing numbers with trailing garbage rather than ignoring the extra characters. Also handle error tokens more gracefully in array and dictionary parsing. Treat error tokens as the 'null' keyword and continue parsing. ==== I have a tentative commit 323072ca57c6510ad677ac6071090565a41b64fc awaiting review.
This was fixed in commit 5e411a99604ff6be5db9e273ee84737204113299 Author: Sebastian Rasmussen <sebras@gmail.com> Date: Tue Jan 30 02:05:57 2018 +0100 Bug 698916: Indirect object numbers must be in range.