mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c)

Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A fuzzing revealed a strcpy-param-overlap.

The complete ASan output:

# mujstest $FILE
==26843==ERROR: AddressSanitizer: strcpy-param-overlap: memory ranges [0x0000013c5d40,0x0000013c62ed) and [0x0000013c6285, 0x0000013c6832) overlap
    #0 0x473129 in __interceptor_strcpy /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/
    #1 0x4f7910 in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:353:6
    #2 0x7f8af37a961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8)

0x0000013c6140 is located 0 bytes to the right of global variable 'filename' defined in 'platform/x11/jstest_main.c:15:13' (0x13c5d40) of size 1024
0x0000013c6285 is located 5 bytes inside of global variable 'getline_buffer' defined in 'platform/x11/jstest_main.c:24:13' (0x13c6280) of size 4096
SUMMARY: AddressSanitizer: strcpy-param-overlap /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/ in __interceptor_strcpy

Affected version:

Fixed version:
1.10 (not yet released)

Commit fix:;h=cfe8f35bca61056363368c343be36812abde0a06

This bug was discovered by Agostino Sarubbo of Gentoo.


2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-09-22: upstream released a patch
2016-09-25: blog post about the issue

This bug was found with American Fuzzy Lop.


mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.