707996 – During the fuzz testing of the mutool extract command using AFL++, a crash was identified. This report provides an overview of the crash, including its cause, steps to reproduce, and potential security impacts.

Bug 707996 - During the fuzz testing of the mutool extract command using AFL++, a crash was identified. This report provides an overview of the crash, including its cause, steps to reproduce, and potential security impacts.

Summary: During the fuzz testing of the mutool extract command using AFL++, a crash wa...

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	fuzzing (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Assignee:	Sebastian Rasmussen

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-08-31 07:20 UTC by sumitp7816
Modified:	2024-12-04 14:02 UTC (History)
CC List:	3 users (show)

See Also:
Customer:
Word Size:	---

Attachments
crash Poc and crash file (359.85 KB, application/x-zip-compressed) 2024-08-31 07:20 UTC, sumitp7816	Details
Addinational execution (230.67 KB, image/jpeg) 2024-09-02 04:33 UTC, sumitp7816	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sumitp7816 2024-08-31 07:20:14 UTC

Created attachment 26007 [details]
crash Poc and crash file

Crash: Segmentation Fault

  Crash File: id:000000,sig:11,src:000000,time:12142,op:havoc,rep:32
  Signal: SIGSEGV (Segmentation Fault)
  Memory Address: 0x0000000000000000
  
Description:

The crash was triggered by a segmentation fault caused by a null pointer dereference. This issue occurred when mutool extract attempted to access memory that was not properly allocated or was unexpectedly null.

Steps to Reproduce:

./mutool extract out/slave1mutool/crashes/id:000000,sig:11,src:000000,time:12142,op:havoc,rep:32


Attachments

Input File: The specific input file that triggered the crash.
Crash Log: Detailed log and stack trace for the crash.
Crash File.

Comment 1 sumitp7816 2024-08-31 07:24:49 UTC

Attached multiple crash file in zip

Comment 2 sumitp7816 2024-09-02 04:28:11 UTC

is there any update ?

Comment 3 sumitp7816 2024-09-02 04:33:59 UTC

Created attachment 26010 [details]
Addinational execution

root@vmi2106651:~/fuzzing/mupdf/build/release# ./mutool extract /root/mupdf/build/release/out/slave1mutool/crashes/id:000058,sig:11,src:001422,time:1428831+001122,op:splice,rep:32
format error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
syntax error: invalid key in dict
syntax error: invalid key in dict
syntax error: invalid key in dict
syntax error: invalid key in dict
source/pdf/pdf-lex.c:180:9: runtime error: signed integer overflow: 8888888888888888888 * 10 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/pdf/pdf-lex.c:180:9 in
syntax error: invalid key in dict
warning: ignoring object with invalid object number (-974942672 0 R)
warning: invalid indirect reference in dict
syntax error: invalid key in dict
syntax error: invalid key in dict
warning: cannot load object (1 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (1 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (3 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (3 0 R) into cache
syntax error: expected 'R' keyword (5 0 R)
warning: cannot load object (5 0 R) into cache
syntax error: expected 'R' keyword (5 0 R)
warning: cannot load object (5 0 R) into cache
warning: expected 'endobj' or 'stream' keyword (8 0 R)
warning: invalid indirect reference in dict
syntax error: invalid key in dict
warning: cannot load object (11 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (11 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (16 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (16 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (20 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (20 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (21 0 R) into cache
syntax error: invalid key in dict
warning: cannot load object (21 0 R) into cache
source/pdf/pdf-object.c:3067:37: runtime error: member access within misaligned address 0x00000000454d for type 'pdf_obj' (aka 'struct pdf_obj'), which requires 2 byte alignment
0x00000000454d: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/pdf/pdf-object.c:3067:37 in
include/mupdf/fitz/context.h:1004:7: runtime error: load of misaligned address 0x00000000454d for type 'int16_t' (aka 'short'), which requires 2 byte alignment
0x00000000454d: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior include/mupdf/fitz/context.h:1004:7 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==822916==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000454d (pc 0x0000009e9f56 bp 0x000000000018 sp 0x7ffc1b01ddc0 T0)
==822916==The signal is caused by a READ memory access.
    #0 0x9e9f56  (/root/fuzzing/mupdf/build/release/mutool+0x9e9f56)
    #1 0x554775  (/root/fuzzing/mupdf/build/release/mutool+0x554775)
    #2 0x554336  (/root/fuzzing/mupdf/build/release/mutool+0x554336)
    #3 0x4ca9c2  (/root/fuzzing/mupdf/build/release/mutool+0x4ca9c2)
    #4 0x7f6d5b75c082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x42943d  (/root/fuzzing/mupdf/build/release/mutool+0x42943d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/root/fuzzing/mupdf/build/release/mutool+0x9e9f56)
==822916==ABORTING

Comment 4 Sebastian Rasmussen 2024-09-02 14:02:51 UTC

(In reply to sumitp7816 from comment #2)
> is there any update ?

No, none yet. Let me try to verify the crash first.

Comment 5 Sebastian Rasmussen 2024-09-02 14:15:17 UTC

What version of mupdf was used? 1.24.9? an earlier release? or what git commit did you used? What compiler was used and what version?

I ran id:000000,sig:11,src:000000,time:12142,op:havoc,rep:32 successfully through "mutool extract id:000000,sig:11,src:000000,time:12142,op:havoc,rep:32" where mupdf was compiled by gcc-13 with ASAN from the current git HEAD commit 1d58f734a.

Comment 6 Sebastian Rasmussen 2024-09-02 21:05:12 UTC

Nvm, with clang-17 and compiling with ASAN in release mode I have reproduced your issue. A variable was not correctly cleared and declared fz_var.

I have a commit pending for this.

Comment 7 sumitp7816 2024-09-03 04:33:50 UTC

We are waiting for your commits.
Additionally please find details for.


URL for installation : https://mupdf.readthedocs.io/en/latest/quick-start-guide.html

git clone --recursive git://git.ghostscript.com/mupdf.git. 
and build command for this make -j$(nproc) HAVE_X11=no HAVE_GLUT=no

and my clang is 

afl-clang-fast++2.59d by <lszekeres@google.com>
clang version 9.0.1-12

Comment 8 Sebastian Rasmussen 2024-09-03 21:07:35 UTC

Fixed by

commit b5c898a30f068b5342e8263a2cd5b9f0be291aac
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Mon Sep 2 22:06:32 2024 +0200

    Bug 707996: Declare variable fz_var to avoid stale values.
    
    A fuzzed file provoked an ASAN warning when building release mode.
    
    For good measure, also declare a variable in an unrelated function
    in the same tool fz_var.

Comment 9 sumitp7816 2024-09-04 03:51:53 UTC

Hi team any reward for this ?

Comment 10 sumitp7816 2024-09-04 07:52:12 UTC

and can you add cve for this?

Comment 11 sumitp7816 2024-09-09 05:37:34 UTC

any update on this?

Comment 12 Sebastian Rasmussen 2024-09-10 00:18:44 UTC

Our bug bounty program https://www.ghostscript.com/Bug_bounty_program.html states that we generally pay for patches for nominated bugs, not just bug reports themselves.

Comment 13 sumitp7816 2024-09-10 04:20:23 UTC

Thank you for the clarification. I wanted to highlight that the bug I reported is a valid bug and results in a crash. Given the nature of the issue, could you confirm whether this qualifies for the bounty program and if a patch submission would be required for further consideration? I look forward to your guidance.

Comment 14 sumitp7816 2024-09-10 04:20:41 UTC

Thank you for the clarification. I wanted to highlight that the bug I reported is a valid bug and results in a crash. Given the nature of the issue, could you confirm whether this qualifies for the bounty program and if a patch submission would be required for further consideration? I look forward to your guidance.

Comment 15 sumitp7816 2024-09-25 12:26:06 UTC

any update on this?

Comment 16 Sebastian Rasmussen 2024-09-25 14:24:16 UTC

No, unfortunately it does not qualify for a bug bounty since a fix for the issue was not provided.

Comment 17 sumitp7816 2024-11-15 06:43:25 UTC

Thank you for your response. I understand that a fix is generally required to qualify for a bounty. However, I wanted to clarify that the issue has now been resolved, and I contributed to addressing it. Given this, I believe it would be appropriate to consider this submission for a bounty.

Comment 18 Robin Watts 2024-11-16 00:25:19 UTC

(In reply to sumitp7816 from comment #17)
> Thank you for your response. I understand that a fix is generally required
> to qualify for a bounty. However, I wanted to clarify that the issue has now
> been resolved, and I contributed to addressing it. Given this, I believe it
> would be appropriate to consider this submission for a bounty.

We appreciate your bug report, and are grateful for your efforts in improving our open source software.

Our bug bounty policy clearly states that we pay for fixes, not just for bug reports themselves.

Further, it is clearly stated that such payments are at our discretion.

I feel Sebastian has been sufficiently clear with you that we do not feel this bug report qualifies for a payment under these terms.

Your repeated posting on this bug has, however, passed the point of reasonable behaviour. Please desist from further postings on this bug.

Once again, we thank you for your contribution.

Comment 19 sumitp7816 2024-12-03 12:33:59 UTC

Hi Team,

I have applied for a CVE and received the CVE number CVE-2024-46657. Please complete the process from your end.

Regards,
Sumit Patel

Comment 20 Sebastian Rasmussen 2024-12-03 15:29:40 UTC

> I have applied for a CVE and received the CVE number CVE-2024-46657. Please
> complete the process from your end.

I cannot access any information about this CVE number, see https://www.cve.org/CVERecord?id=CVE-2024-46657, so I cannot even verify that it concerns MuPDF.

Comment 21 sumitp7816 2024-12-04 12:27:04 UTC

You cannot access any information about  CVE because it's not published yet

Comment 22 Sebastian Rasmussen 2024-12-04 14:02:34 UTC

> You cannot access any information about  CVE because it's not published yet

When do you intend to publish it?