mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)

Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.

A fuzzing through mutool revealed a use-after-free. It seems that a fix for the recent heap overflow in fz_subsample_pixmap fixes this issue too.

The complete ASan output:

 # mutool draw $FILE
==17100==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000abb6 at pc 0x7fba6a8cee53 bp 0x7ffedf859700 sp 0x7ffedf8596f8                                                                                                                                       
READ of size 1 at 0x60c00000abb6 thread T0                                                                                                                                                                                                                                     
    #0 0x7fba6a8cee52 in fz_subsample_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12                                                                                                                                            
    #1 0x7fba6a8d4dfa in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:686:3                                                                                                                                          
    #2 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11                                                                                                                                        
    #3 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3                                                                                                                                                    
    #4 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6                                                                                                                                        
    #5 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4                                                                                                                                                              
    #6 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6                                                                                                                                                            
    #7 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3                                                                                                                                                             
    #8 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5                                                                                                                                                            
    #9 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7                                                                                                                                                          
    #10 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12                                                                                                                                                                
    #11 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                    
    #12 0x41e1a8 in _init (/usr/bin/mutool+0x41e1a8)                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                               
0x60c00000abb6 is located 1 bytes to the right of 117-byte region [0x60c00000ab40,0x60c00000abb5)                                                                                                                                                                              
freed by thread T0 here:                                                                                                                                                                                                                                                       
    #0 0x4d6c10 in free /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47                                                                                                                                         
    #1 0x7fba6a810878 in fz_free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:187:2                                                                                                                                                          
    #2 0x7fba6a8d0a0c in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:330:3                                                                                                                                       
    #3 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
    #4 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
    #5 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
    #6 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
    #7 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
    #8 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
    #9 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
    #10 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
    #11 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
    #12 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
    #13 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12
    #14 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4d6f68 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fba6a80c08f in do_scavenging_malloc /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:17:7
    #2 0x7fba6a80c08f in fz_malloc_array /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:80
    #3 0x7fba6a8cfd40 in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:268:13
    #4 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
    #5 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
    #6 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
    #7 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
    #8 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
    #9 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
    #10 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
    #11 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
    #12 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
    #13 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
    #14 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12
    #15 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12 in fz_subsample_pixmap
Shadow bytes around the buggy address:
  0x0c187fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff9570: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
  0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
  0x0c187fff9590: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fff95a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fff95b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff95c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17100==ABORTING

Affected version:
1.10a

Fixed version:
1.11 (that will be released in march)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7264

Reproducer:
https://github.com/asarubbo/poc/blob/master/00149-mupdf-UAF-fz_subsample_pixmap

Timeline:
2017-02-06: bug discovered and reported to upstream
2017-02-09: upstream released a patch
2017-02-09: blog post about the issue
2017-03-26: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *