Artifex MuPDF - Null Pointer Dereference

EDB-ID: 42138
Author: Kamil Frankowicz
Published: 2017-06-07
CVE: CVE-2017-5991
Type: Dos
Platform: Linux
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

  
POC to trigger null pointer dereference (mutool)

After some fuzz testing I found a crashing test case.

Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642

To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null

ASAN:

==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
#0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
#1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
#2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
#3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
#4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
#5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
#6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
#7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
#8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
#9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
#10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
#11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
#12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
#13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
#14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
#15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
#16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
#17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
#18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
#19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
#20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42138.zip

Related Posts