Artifex MuPDF - Null Pointer Dereference

EDB-ID: 42138
Author: Kamil Frankowicz
Published: 2017-06-07
CVE: CVE-2017-5991
Type: Dos
Platform: Linux
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A 

  
 POC to trigger null pointer dereference (mutool) 
  
 After some fuzz testing I found a crashing test case. 
  
 Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642 
  
 To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null 
  
 ASAN: 
  
 ==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0) 
 ==1406==The signal is caused by a READ memory access. 
 ==1406==Hint: address points to the zero page. 
     #0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2 
     #1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4 
     #2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3 
     #3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4 
     #4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5 
     #5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3 
     #6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23 
     #7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219 
     #8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943 
     #9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5 
     #10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6 
     #11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3 
     #12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3 
     #13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3 
     #14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4 
     #15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2 
     #16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2 
     #17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5 
     #18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4 
     #19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12 
     #20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 
     #21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218) 
  
 AddressSanitizer can not provide additional info. 
 SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask 
 ==1406==ABORTING 
  
  
 Proof of Concept: 
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42138.zip

Source: www.exploit-db.com
Related Posts