Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.
A fuzzing through mutool revealed a use-after-free. It seems that a fix for the recent heap overflow in fz_subsample_pixmap fixes this issue too.
The complete ASan output:
# mutool draw $FILE ==17100==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000abb6 at pc 0x7fba6a8cee53 bp 0x7ffedf859700 sp 0x7ffedf8596f8 READ of size 1 at 0x60c00000abb6 thread T0 #0 0x7fba6a8cee52 in fz_subsample_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12 #1 0x7fba6a8d4dfa in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:686:3 #2 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11 #3 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3 #4 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6 #5 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4 #6 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6 #7 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3 #8 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5 #9 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7 #10 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12 #11 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #12 0x41e1a8 in _init (/usr/bin/mutool+0x41e1a8) 0x60c00000abb6 is located 1 bytes to the right of 117-byte region [0x60c00000ab40,0x60c00000abb5) freed by thread T0 here: #0 0x4d6c10 in free /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47 #1 0x7fba6a810878 in fz_free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:187:2 #2 0x7fba6a8d0a0c in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:330:3 #3 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10 #4 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9 #5 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11 #6 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3 #7 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6 #8 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4 #9 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6 #10 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3 #11 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5 #12 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7 #13 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12 #14 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 previously allocated by thread T0 here: #0 0x4d6f68 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7fba6a80c08f in do_scavenging_malloc /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:17:7 #2 0x7fba6a80c08f in fz_malloc_array /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:80 #3 0x7fba6a8cfd40 in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:268:13 #4 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10 #5 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9 #6 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11 #7 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3 #8 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6 #9 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4 #10 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6 #11 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3 #12 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5 #13 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7 #14 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12 #15 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12 in fz_subsample_pixmap Shadow bytes around the buggy address: 0x0c187fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c187fff9570: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa 0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa 0x0c187fff9590: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c187fff95a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c187fff95b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fff95c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17100==ABORTING
Affected version:
1.10a
Fixed version:
1.11 (that will be released in march)
Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-7264
Reproducer:
https://github.com/asarubbo/poc/blob/master/00149-mupdf-UAF-fz_subsample_pixmap
Timeline:
2017-02-06: bug discovered and reported to upstream
2017-02-09: upstream released a patch
2017-02-09: blog post about the issue
2017-03-26: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink: