Source: mupdf Version: 1.5-1 Severity: important Tags: security upstream Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698860
Hi, the following vulnerability was published for mupdf. CVE-2018-5686[0]: | In MuPDF 1.12.0, there is an infinite loop vulnerability and | application hang in the pdf_parse_array function (pdf/pdf-parse.c) | because EOF is not considered. Remote attackers could leverage this | vulnerability to cause a denial of service via a crafted pdf file. Although not directly reproducible/verifiable with the reporoducer from the reporter at: https://github.com/ProbeFuzzer/poc/raw/master/mupdf/mupdf_1-12-0_mutool_infinite-loop_pdf_parse_array.pdf looking at the code leading to source/pdf/pdf-parse.c in the pdf_parse_array function, EOF is not considered as well back to the versions 1.5 (at least). From the upstream report: ----cut---------cut---------cut---------cut---------cut---------cut----- On 1.12.0 (the latest version): there is an infinite loop and application hang in the pdf_parse_array function (source/pdf/pdf-parse.c), which could be triggered by the POC with command: mutool draw $POC Looking into the pdf_parse_array function (source/pdf/pdf-parse.c), we found that the "while(1)" loop terminates only when the program encountered a PDF_TOK_CLOSE_ARRAY token. However, the tokens could be manipulated by a crafted pdf file, and an infinite loop happens when PDF_TOK_CLOSE_ARRAY does not appear. Recommended fix: the program should terminate when "EOF" token is encountered. Therefore, we recommend adding following statements around line 404. case PDF_TOK_EOF: goto end; The code segment is: 361 pdf_parse_array(fz_context *ctx, pdf_document *doc, fz_stream *file, pdf_lexbuf *buf) 362 { ... 373 fz_try(ctx) 374 { 375 while (1) 376 { 377 tok = pdf_lex(ctx, file, buf); ... 402 switch (tok) 403 { 404 case PDF_TOK_CLOSE_ARRAY: 405 op = ary; 406 goto end; ... 462 } 463 } 464 end: 465 {} 466 } ... 472 return op; 473 } POC: https://github.com/ProbeFuzzer/poc/blob/master/mupdf/mupdf_1-12-0_mutool_infinite-loop_pdf_parse_array.pdf backtrace: #0 0x00007ffff66dd9d6 in __memmove_ssse3 () from /lib64/libc.so.6 #1 0x00007ffff6e97c58 in Reallocate (stack=0x7fffffffc3b0, new_size=140733826750448, old_ptr=0x7fff25c05800) at ../../../../src/libsanitizer/asan/asan_allocator2.cc:485 #2 __asan::asan_realloc (p=p@entry=0x7fff25c05800, size=size@entry=2451898200, stack=stack@entry=0x7fffffffc3b0) at ../../../../src/libsanitizer/asan/asan_allocator2.cc:615 #3 0x00007ffff6f08408 in __interceptor_realloc (ptr=0x7fff25c05800, size=2451898200) at ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:83 #4 0x00000000006ae500 in do_scavenging_realloc (size=2451898200, p=0x7fff25c05800, ctx=0x60e00000df60) at source/fitz/memory.c:42 #5 fz_resize_array (ctx=ctx@entry=0x60e00000df60, p=0x7fff25c05800, count=count@entry=306487275, size=size@entry=8) at source/fitz/memory.c:171 #6 0x00000000008c2cee in pdf_array_grow (obj=0x60400000d790, ctx=0x60e00000df60) at source/pdf/pdf-object.c:573 #7 pdf_array_push (ctx=0x60e00000df60, obj=0x60400000d790, item=<optimized out>) at source/pdf/pdf-object.c:722 #8 0x00000000008c3734 in pdf_array_push_drop (ctx=ctx@entry=0x60e00000df60, obj=obj@entry=0x60400000d790, item=0x1a6) at source/pdf/pdf-object.c:734 #9 0x00000000008f2040 in pdf_parse_array (ctx=ctx@entry=0x60e00000df60, doc=doc@entry=0x631000014800, file=file@entry=0x60800000bf20, buf=buf@entry=0x631000014980) at source/pdf/pdf-parse.c:460 #10 0x00000000008f1699 in pdf_parse_dict (ctx=ctx@entry=0x60e00000df60, doc=doc@entry=0x631000014800, file=file@entry=0x60800000bf20, buf=buf@entry=0x631000014980) at source/pdf/pdf-parse.c:512 #11 0x00000000008f3057 in pdf_parse_ind_obj (ctx=ctx@entry=0x60e00000df60, doc=doc@entry=0x631000014800, file=<optimized out>, buf=buf@entry=0x631000014980, onum=onum@entry=0x7fffffffd170, ogen=ogen@entry=0x7fffffffd1b0, ostmofs=0x61300000d6c0, try_repair=0x7fffffffd1f0) at source/pdf/pdf-parse.c:650 #12 0x0000000000967db0 in pdf_cache_object (ctx=ctx@entry=0x60e00000df60, doc=doc@entry=0x631000014800, num=num@entry=6) at source/pdf/pdf-xref.c:1929 #13 0x000000000096e322 in pdf_resolve_indirect (ctx=0x60e00000df60, ref=<optimized out>) at source/pdf/pdf-xref.c:2025 #14 0x000000000096e455 in pdf_resolve_indirect_chain (ctx=0x60e00000df60, ref=0x60300000e920) at source/pdf/pdf-xref.c:2051 #15 0x00000000008be80d in pdf_mark_obj (ctx=ctx@entry=0x60e00000df60, obj=obj@entry=0x60300000e920) at source/pdf/pdf-object.c:1610 #16 0x00000000008dceef in pdf_resources_use_overprint (ctx=ctx@entry=0x60e00000df60, rdb=rdb@entry=0x60300000e920) at source/pdf/pdf-page.c:527 #17 0x00000000008e6995 in pdf_load_page (ctx=<optimized out>, doc=<optimized out>, number=<optimized out>) at source/pdf/pdf-page.c:1109 #18 0x000000000043731a in drawpage (ctx=ctx@entry=0x60e00000df60, doc=doc@entry=0x631000014800, pagenum=pagenum@entry=1) at source/tools/mudraw.c:1044 #19 0x0000000000439167 in drawrange (ctx=ctx@entry=0x60e00000df60, doc=<optimized out>, range=<optimized out>, range@entry=0x154da20 "1-N") at source/tools/mudraw.c:1196 #20 0x000000000043d091 in mudraw_main (argc=<optimized out>, argv=<optimized out>) at source/tools/mudraw.c:1919 #21 0x0000000000423d0f in main (argc=<optimized out>, argv=<optimized out>) at source/tools/mutool.c:127 ----cut---------cut---------cut---------cut---------cut---------cut----- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5686 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5686 [1] https://bugs.ghostscript.com/show_bug.cgi?id=698860 [2] https://github.com/ProbeFuzzer/poc/raw/master/mupdf/mupdf_1-12-0_mutool_infinite-loop_pdf_parse_array.pdf Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team