{"id":1290,"date":"2017-02-17T17:46:16","date_gmt":"2017-02-17T15:46:16","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1290"},"modified":"2017-04-29T15:40:04","modified_gmt":"2017-04-29T13:40:04","slug":"mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/17\/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c\/","title":{"rendered":"mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\nMujstest, which is part of <a href=\"http:\/\/mupdf.com\/\">mupdf<\/a> is a scriptable tester for mupdf + js.<\/p>\n<p>A crafted image posted early for another issue, causes a stack overflow.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># mujstest $FILE\r\n==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0\r\nWRITE of size 1453 at 0x7fff29560b00 thread T0\r\n    #0 0x47cbf2 in __interceptor_strcpy \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:548\r\n    #1 0x50e903 in main \/tmp\/portage\/app-text\/mupdf-1.10a\/work\/mupdf-1.10a-source\/platform\/x11\/jstest_main.c:358:7\r\n    #2 0x7f68df3c578f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #3 0x41bc18 in _init (\/usr\/bin\/mujstest+0x41bc18)\r\n\r\nAddress 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in frame\r\n    #0 0x50c45f in main \/tmp\/portage\/app-text\/mupdf-1.10a\/work\/mupdf-1.10a-source\/platform\/x11\/jstest_main.c:293\r\n\r\n  This frame has 7 object(s):\r\n    [32, 1056) 'path'\r\n    [1184, 2208) 'text' &lt;== Memory access at offset 1056 partially underflows this variable\r\n    [2336, 2340) &#039;w&#039; &lt;== Memory access at offset 1056 partially underflows this variable\r\n    [2352, 2356) &#039;h&#039; &lt;== Memory access at offset 1056 partially underflows this variable\r\n    [2368, 2372) &#039;x&#039; &lt;== Memory access at offset 1056 partially underflows this variable\r\n    [2384, 2388) &#039;y&#039; &lt;== Memory access at offset 1056 partially underflows this variable\r\n    [2400, 2404) &#039;b&#039; 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2\r\n  0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==32127==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.10a<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"http:\/\/git.ghostscript.com\/?p=user\/sebras\/mupdf.git;a=blobdiff;f=platform\/x11\/jstest_main.c;h=f158d9628ed0c0a84e37fe128277679e8334422a;hp=13c3a0a3ba3ff4aae29f6882d23740833c1d842f;hb=06a012a42c9884e3cd653e7826cff1ddec04eb6e;hpb=34e18d127a02146e3415b33c4b67389ce1ddb614\">http:\/\/git.ghostscript.com\/?p=user\/sebras\/mupdf.git;a=blobdiff;f=platform\/x11\/jstest_main.c;h=f158d9628ed0c0a84e37fe128277679e8334422a;hp=13c3a0a3ba3ff4aae29f6882d23740833c1d842f;hb=06a012a42c9884e3cd653e7826cff1ddec04eb6e;hpb=34e18d127a02146e3415b33c4b67389ce1ddb614<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-6060<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00147-mupdf-mujstest-stackoverflow-main\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00147-mupdf-mujstest-stackoverflow-main<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-02-05: bug discovered and reported to upstream<br \/>\n2017-02-17: blog post about the issue<br \/>\n2017-02-17: CVE assigned via cveform.mitre.org<br \/>\n2017-04-11: upstream released a patch<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"https:\/\/github.com\/google\/sanitizers\/tree\/master\/address-sanitizer\">Address Sanitizer<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"zhjugCCo2j\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/02\/17\/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c\/\">mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/02\/17\/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c\/embed\/#?secret=zhjugCCo2j\" data-secret=\"zhjugCCo2j\" width=\"600\" height=\"338\" title=\"&#8220;mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: Mujstest, which is part of mupdf is a scriptable tester for mupdf + js. A crafted image posted early for another issue, causes a stack overflow. The complete ASan output: # mujstest $FILE ==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff29560b00 &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/17\/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-kO","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1290"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1290"}],"version-history":[{"count":6,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1290\/revisions"}],"predecessor-version":[{"id":1687,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1290\/revisions\/1687"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}