Package: mupdf-tools
Version: 1.9a+ds1-4
Tags: security
"mutool clean -l" crashes on this PDF file:
$ mutool clean -l overflow.pdf
warning: broken xref section, proceeding anyway.
error: expected 'obj' keyword (0 18 ?)
*** Error in `mutool': munmap_chunk(): invalid pointer: 0x59370130 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf72b937a]
/lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xf72bffb7]
/lib/i386-linux-gnu/libc.so.6(+0x6e6b1)[0xf72c06b1]
mutool(+0x35ee8)[0x56625ee8]
mutool(+0x362a2)[0x566262a2]
mutool(+0x8c052)[0x5667c052]
mutool(+0xa3ae4)[0x56693ae4]
mutool(+0x24b4a)[0x56614b4a]
mutool(main+0x2b5)[0x566044f5]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf726a276]
mutool(+0x1453a)[0x5660453a]
[...]
Aborted
Valgrind says it's a heap-based buffer overflow:
Invalid write of size 4
at 0x1937D9: compactxref (pdf-write.c:753)
by 0x1937D9: pdf_save_document (pdf-write.c:2796)
by 0x1ABAE3: pdf_clean_file (pdf-clean-file.c:354)
by 0x12CB49: pdfclean_main (pdfclean.c:84)
by 0x11C4F4: main (mutool.c:104)
Address 0x4f29cb8 is 0 bytes after a block of size 56 alloc'd
at 0x482E27C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x13DF37: fz_malloc_default (memory.c:213)
by 0x13DFA8: do_scavenging_malloc (memory.c:17)
by 0x13E088: fz_malloc_array (memory.c:80)
by 0x193449: initialise_write_state (pdf-write.c:2683)
by 0x193449: pdf_save_document (pdf-write.c:2774)
by 0x1ABAE3: pdf_clean_file (pdf-clean-file.c:354)
by 0x12CB49: pdfclean_main (pdfclean.c:84)
by 0x11C4F4: main (mutool.c:104)
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages mupdf-tools depends on:
ii libc6 2.24-12
ii libfreetype6 2.8-0.2
ii libharfbuzz0b 1.4.2-1
ii libjbig2dec0 0.13-4.1
ii libjpeg62-turbo 1:1.5.1-2
ii libopenjp2-7 2.1.2-1.1
ii zlib1g 1:1.2.8.dfsg-5
--
Jakub Wilk
