Bug 698916 - There is an address-not-addressable bug in pdf_read_new_xref function.
Summary: There is an address-not-addressable bug in pdf_read_new_xref function.
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: 1.12.0
Hardware: PC Linux
: P4 major
Assignee: MuPDF bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-24 01:39 UTC by Young_X
Modified: 2018-02-02 11:24 UTC (History)
3 users (show)

See Also:
Customer:
Word Size: ---


Attachments
Analysis and poc (343.73 KB, application/x-rar)
2018-01-24 01:39 UTC, Young_X
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Young_X 2018-01-24 01:39:09 UTC
Created attachment 14644 [details]
Analysis and poc

There is an address-not-addressable bug in pdf_read_new_xref function.

Call trace:
./mutool merge input1.pdf merge_crash1 out.pdf
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ignoring object with invalid object number (0 59 R)
warning: expected 'endobj' or 'stream' keyword (32 0 R)
ASAN:DEADLYSIGNAL
=================================================================
==20654==ERROR: AddressSanitizer: SEGV on unknown address 0x61f400003c60 (pc 0x0000008708ed bp 0x7ffc8c65c9e0 sp 0x7ffc8c65c5e0 T0)
    #0 0x8708ec  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8708ec)
    #1 0x86e0a8  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x86e0a8)
    #2 0x86da17  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x86da17)
    #3 0x86cfb9  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x86cfb9)
    #4 0x8679cd  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8679cd)
    #5 0x8634bb  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8634bb)
    #6 0x864a82  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x864a82)
    #7 0x53d91a  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x53d91a)
    #8 0x4eb9af  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x4eb9af)
    #9 0x7f221c05482f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x419bc8  (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x419bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/xx/fuzz/mupdf_test/build/debug/mutool+0x8708ec) 
==20654==ABORTING

Program received signal SIGSEGV, Segmentation fault.
0x000000000050c189 in pdf_read_new_xref (ctx=0x2a17010, doc=0x2a3e8d0, buf=0x2a3ea50)
    at source/pdf/pdf-xref.c:1046
1046			entry->ofs = ofs;
(gdb) p entry->ofs
Cannot access memory at address 0x1402a9a380
(gdb) bt
#0  0x000000000050c189 in pdf_read_new_xref (ctx=0x2a17010, doc=0x2a3e8d0, buf=0x2a3ea50)
    at source/pdf/pdf-xref.c:1046
#1  0x000000000050c348 in pdf_read_xref (ctx=0x2a17010, doc=0x2a3e8d0, ofs=116, buf=0x2a3ea50)
    at source/pdf/pdf-xref.c:1082
#2  0x000000000050c4ee in read_xref_section (ctx=0x2a17010, doc=0x2a3e8d0, ofs=116, 
    buf=0x2a3ea50, offsets=0x7fffffffe070) at source/pdf/pdf-xref.c:1128
#3  0x000000000050c70a in pdf_read_xref_sections (ctx=0x2a17010, doc=0x2a3e8d0, ofs=116, 
    buf=0x2a3ea50, read_previous=1) at source/pdf/pdf-xref.c:1177
#4  0x000000000050c8f3 in pdf_load_xref (ctx=0x2a17010, doc=0x2a3e8d0, buf=0x2a3ea50)
    at source/pdf/pdf-xref.c:1233
#5  0x000000000050d093 in pdf_init_document (ctx=0x2a17010, doc=0x2a3e8d0)
    at source/pdf/pdf-xref.c:1371
#6  0x000000000050f94c in pdf_open_document (ctx=0x2a17010, 
    filename=0x7fffffffe66c "merge_crash1") at source/pdf/pdf-xref.c:2285
#7  0x00000000004231e7 in pdfmerge_main (argc=4, argv=0x7fffffffe390)
    at source/tools/pdfmerge.c:155
#8  0x0000000000402c2e in main (argc=5, argv=0x7fffffffe388) at source/tools/mutool.c:127

See the attachment if you want to get detailed information of the vulnerability .
Comment 1 Young_X 2018-01-24 22:23:19 UTC
For this issue, CVE-2018-6192 has been assigned.
Comment 2 Sebastian Rasmussen 2018-01-29 17:39:50 UTC
This issue was disappeared when the commit below was introduced. The reason for this is that the changed lexing changes how the document is parsed and execution takes a different path that no longer exhibits the issue.

====
commit fa9cd085533f68367c299e058ab3fbb7ad8a2dc6
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Fri Dec 1 16:07:23 2017 +0100

    Fix 698785: Catch malformed numbers in PDF lexical scanner.
    
    Return error tokens when parsing numbers with trailing garbage rather than
    ignoring the extra characters.
    
    Also handle error tokens more gracefully in array and dictionary parsing.
    Treat error tokens as the 'null' keyword and continue parsing.
====

I have a tentative commit 323072ca57c6510ad677ac6071090565a41b64fc awaiting review.
Comment 3 Sebastian Rasmussen 2018-02-02 11:24:41 UTC
This was fixed in

commit 5e411a99604ff6be5db9e273ee84737204113299
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Jan 30 02:05:57 2018 +0100

    Bug 698916: Indirect object numbers must be in range.