Package: mupdf-tools Version: 1.9a+ds1-4 Tags: security
"mutool clean -l" crashes on this PDF file: $ mutool clean -l overflow.pdf warning: broken xref section, proceeding anyway. error: expected 'obj' keyword (0 18 ?) *** Error in `mutool': munmap_chunk(): invalid pointer: 0x59370130 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf72b937a] /lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xf72bffb7] /lib/i386-linux-gnu/libc.so.6(+0x6e6b1)[0xf72c06b1] mutool(+0x35ee8)[0x56625ee8] mutool(+0x362a2)[0x566262a2] mutool(+0x8c052)[0x5667c052] mutool(+0xa3ae4)[0x56693ae4] mutool(+0x24b4a)[0x56614b4a] mutool(main+0x2b5)[0x566044f5] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf726a276] mutool(+0x1453a)[0x5660453a] [...] Aborted Valgrind says it's a heap-based buffer overflow: Invalid write of size 4 at 0x1937D9: compactxref (pdf-write.c:753) by 0x1937D9: pdf_save_document (pdf-write.c:2796) by 0x1ABAE3: pdf_clean_file (pdf-clean-file.c:354) by 0x12CB49: pdfclean_main (pdfclean.c:84) by 0x11C4F4: main (mutool.c:104) Address 0x4f29cb8 is 0 bytes after a block of size 56 alloc'd at 0x482E27C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) by 0x13DF37: fz_malloc_default (memory.c:213) by 0x13DFA8: do_scavenging_malloc (memory.c:17) by 0x13E088: fz_malloc_array (memory.c:80) by 0x193449: initialise_write_state (pdf-write.c:2683) by 0x193449: pdf_save_document (pdf-write.c:2774) by 0x1ABAE3: pdf_clean_file (pdf-clean-file.c:354) by 0x12CB49: pdfclean_main (pdfclean.c:84) by 0x11C4F4: main (mutool.c:104) Found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/ -- System Information: Architecture: i386 Versions of packages mupdf-tools depends on: ii libc6 2.24-12 ii libfreetype6 2.8-0.2 ii libharfbuzz0b 1.4.2-1 ii libjbig2dec0 0.13-4.1 ii libjpeg62-turbo 1:1.5.1-2 ii libopenjp2-7 2.1.2-1.1 ii zlib1g 1:1.2.8.dfsg-5 -- Jakub Wilk