When I tried to open two svg files with the mupdf-gl tool, the tool would crash. the detailed report can be founded at https://github.com/TeamSeri0us/pocs/tree/master/mupdf/20181203.
commit a7f7d91cdff8d303c11d458fa8b802776f73c8cc Author: Tor Andersson <tor.andersson@artifex.com> Date: Tue Jan 8 14:47:26 2019 +0100 Bug 700342: Ignore images without an xlink:href attribute.
Pasting report contents after it was both reported and fixed: 1. fish@ubuntu:~/Desktop/2018-10-10/pdf/mupdf$ ./afl/bin/mupdf-gl out-of-bound-read-poc-2.svg ASAN:DEADLYSIGNAL ================================================================= ==69945==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8c571827d9 bp 0x7ffea3fa0d50 sp 0x7ffea3fa04b0 T0) ==69945==The signal is caused by a READ memory access. ==69945==Hint: address points to the zero page. #0 0x7f8c571827d8 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5a7d8) #1 0x55b5924dece2 (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x18dce2) #2 0x55b59295ec9d (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60dc9d) #3 0x55b592961123 (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x610123) #4 0x55b5925a324e (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x25224e) #5 0x55b5927f70f9 (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x4a60f9) #6 0x55b59252ff5c (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x1def5c) #7 0x55b5924f646f (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x1a546f) #8 0x7f8c561ebb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x55b5924fe979 (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x1ad979) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5a7d8) ==69945==ABORTING fish@ubuntu:~/Desktop/2018-10-10/pdf/mupdf$ gdb -q --args ./debug/bin/mupdf-gl out-of-bound-read-poc-2.svg 198 ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory. gef➤ bt #0 __strncmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198 #1 0x00005555556882e0 in svg_run_image (ctx=0x555557f89b10, dev=0x55555802f130, doc=0x555557f89bb0, root=0x555557fd4d40, inherit_state=0x7fffffffd960) at source/svg/svg-run.c:1095 #2 0x0000555555688809 in svg_run_element (ctx=0x555557f89b10, dev=0x55555802f130, doc=0x555557f89bb0, root=0x555557fd4d40, state=0x7fffffffd960) at source/svg/svg-run.c:1166 #3 0x00005555556879d4 in svg_run_svg (ctx=0x555557f89b10, dev=0x55555802f130, doc=0x555557f89bb0, root=0x555557fd4738, inherit_state=0x7fffffffdaa0) at source/svg/svg-run.c:1004 #4 0x0000555555688ca7 in svg_run_document (ctx=0x555557f89b10, doc=0x555557f89bb0, root=0x555557fd4738, dev=0x55555802f130, ctm=...) at source/svg/svg-run.c:1265 #5 0x00005555556833c9 in svg_run_page (ctx=0x555557f89b10, page_=0x555557f2af70, dev=0x55555802f130, ctm=..., cookie=0x0) at source/svg/svg-doc.c:42 #6 0x00005555555c94be in fz_run_page_contents (ctx=0x555557f89b10, page=0x555557f2af70, dev=0x55555802f130, transform=..., cookie=0x0) at source/fitz/document.c:393 #7 0x0000555555637f7e in fz_new_stext_page_from_page (ctx=0x555557f89b10, page=0x555557f2af70, options=0x0) at source/fitz/util.c:324 #8 0x00005555555b3c8f in load_page () at platform/gl/gl-main.c:468 #9 0x00005555555b7799 in main (argc=0x2, argv=0x7fffffffde68) at platform/gl/gl-main.c:1578 char *href_att = fz_xml_att(root, "xlink:href"); if (!strncmp(href_att, jpeg_uri, strlen(jpeg_uri))) data = href_att + strlen(jpeg_uri); The value of the href_att pointer is null, which triggered the crash. More details about the svg format can be found at [here](https://www.w3.org/TR/SVG2/linking.html#XLinkRefAttrs). 2. fish@ubuntu:~/Desktop/2018-10-10/pdf/mupdf$ ./afl/bin/mupdf-gl stack-overflow-poc-1.svg ASAN:DEADLYSIGNAL ================================================================= ==70456==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcd7f05ea8 (pc 0x7f27dac74e6f bp 0x7ffcd7f06710 sp 0x7ffcd7f05e70 T0) #0 0x7f27dac74e6e (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e6e) #1 0x562cafbd1593 (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x742593) #2 0x562cafa9b26c (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60c26c) #3 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) #4 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) ...... #245 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) #246 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) #247 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) #248 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) #249 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) #250 0x562cafa9bdcc (/home/fish/Desktop/2018-10-10/pdf/mupdf/afl/bin/mupdf-gl+0x60cdcc) SUMMARY: AddressSanitizer: stack-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e6e) ==70456==ABORTING 193 char *fz_xml_att(fz_xml *item, const char *name) → 194 { 195 struct attribute *att; 196 if (!item) 197 return NULL; 198 for (att = item->atts; att; att = att->next) 199 if (!strcmp(att->name, name)) ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]──── [#0] Id 1, Name: "mupdf-gl", stopped, reason: SIGSEGV ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]──── [!] Cannot access memory at address 0x7fffff7fefe8 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x00005555556d5aa8 in fz_xml_att (item=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>, name=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>) at source/fitz/xml.c:194 194 { gef➤ p item Cannot access memory at address 0x7fffff7fefe8 gef➤ bt 10 #0 0x00005555556d5aa8 in fz_xml_att (item=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>, name=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>) at source/fitz/xml.c:194 #1 0x0000555555686fdb in svg_parse_viewbox (ctx=0x555557f89b10, doc=0x555557f89bb0, node=0x555557fd42d8, state=0x7fffff7ff110) at source/svg/svg-run.c:823 #2 0x0000555555687bd1 in svg_run_use_symbol (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, use=0x555557fd42d8, symbol=0x555557fd4238, inherit_state=0x7fffff7ff2c0) at source/svg/svg-run.c:1026 #3 0x0000555555687f0c in svg_run_use (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, inherit_state=0x7fffff7ff460) at source/svg/svg-run.c:1057 #4 0x0000555555688637 in svg_run_element (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, state=0x7fffff7ff460) at source/svg/svg-run.c:1148 #5 0x0000555555687c3b in svg_run_use_symbol (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, use=0x555557fd42d8, symbol=0x555557fd4238, inherit_state=0x7fffff7ff610) at source/svg/svg-run.c:1030 #6 0x0000555555687f0c in svg_run_use (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, inherit_state=0x7fffff7ff7b0) at source/svg/svg-run.c:1057 #7 0x0000555555688637 in svg_run_element (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, state=0x7fffff7ff7b0) at source/svg/svg-run.c:1148 #8 0x0000555555687c3b in svg_run_use_symbol (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, use=0x555557fd42d8, symbol=0x555557fd4238, inherit_state=0x7fffff7ff960) at source/svg/svg-run.c:1030 #9 0x0000555555687f0c in svg_run_use (ctx=0x555557f89b10, dev=0x55555802f140, doc=0x555557f89bb0, root=0x555557fd42d8, inherit_state=0x7fffff7ffb00) at source/svg/svg-run.c:1057 (More stack frames follow...)
Created attachment 26042 [details] Sample file #1 illustrating the reported issue.
Created attachment 26043 [details] Sample file #2 illustrating the reported issue.