708521 – strip_outline() in pdf-clean-file.c runs out of stack with malicious file.

Bug 708521 - strip_outline() in pdf-clean-file.c runs out of stack with malicious file.

Summary: strip_outline() in pdf-clean-file.c runs out of stack with malicious file.

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	mupdf (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P2 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-05-10 08:24 UTC by zhouguodong
Modified:	2025-05-23 00:24 UTC (History)
CC List:	2 users (show)

See Also:
Customer:
Word Size:	---

Attachments
See the attachment for the specific POC file, vulnerability cause, reproduction process and repair suggestions. (1.04 MB, application/x-compressed) 2025-05-10 08:24 UTC, zhouguodong	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhouguodong 2025-05-10 08:24:20 UTC

Created attachment 26770 [details]
See the attachment for the specific POC file, vulnerability cause, reproduction process and repair suggestions.

There is a denial of service vulnerability in MuPDF 1.25.6 and earlier versions. When an attacker runs the "mutool clean poc /dev/null" command, the program will fall into an infinite recursion between the strip_outlines() and strip_outline() functions in pdf-clean-file.c until the stack is exhausted.

See the attachment for the specific POC file, vulnerability cause, reproduction process and repair suggestions.

Comment 1 Sebastian Rasmussen 2025-05-10 19:20:21 UTC

I can confirm that building MuPDF 1.25.6 with ASAN causes an issue.
The problem persists until current git HEAD 0cc36afd2.

Comment 2 Sebastian Rasmussen 2025-05-10 21:42:06 UTC

I have a patch fixing this issue awaiting review.

Comment 3 Sebastian Rasmussen 2025-05-12 21:55:24 UTC

Fixed in

commit 0ec7e4d2201bb6df217e01c17396d36297abf9ac
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Sat May 10 23:26:47 2025 +0200

    Bug 708521: Avoid recursive cycle while stripping outlines.

Comment 4 Sebastian Rasmussen 2025-05-14 03:32:30 UTC

Also see bug https://bugs.ghostscript.com/show_bug.cgi?id=708541

Comment 5 zhouguodong 2025-05-21 05:14:26 UTC

Thanks for such a fast fix! Since this bug has been resolved and fixed, I’d like it to be made public so others can benefit from the fix and details. Could you please remove the group restriction or make it public?

Comment 6 Sebastian Rasmussen 2025-05-23 00:24:26 UTC

The bug report has now been made public.