oss-sec mailing list archives
mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Fri, 10 Feb 2017 09:37:08 +0100
Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.
A fuzzing through mutool revealed a use-after-free. It seems that a fix for
the recent heap overflow in fz_subsample_pixmap fixes this issue too.
The complete ASan output:
# mutool draw $FILE
==17100==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c00000abb6 at pc 0x7fba6a8cee53 bp 0x7ffedf859700 sp 0x7ffedf8596f8
READ of size 1 at 0x60c00000abb6 thread T0
#0 0x7fba6a8cee52 in fz_subsample_pixmap /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12
#1 0x7fba6a8d4dfa in fz_get_pixmap_from_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:686:3
#2 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
#3 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
#4 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
#5 0x51d503 in drawband /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
#6 0x51b026 in dodrawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
#7 0x51edba in drawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
#8 0x51825b in drawrange /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
#9 0x514aa1 in mudraw_main /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
#10 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/source/tools/mutool.c:110:12
#11 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#12 0x41e1a8 in _init (/usr/bin/mutool+0x41e1a8)
0x60c00000abb6 is located 1 bytes to the right of 117-byte region
[0x60c00000ab40,0x60c00000abb5)
freed by thread T0 here:
#0 0x4d6c10 in free /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47
#1 0x7fba6a810878 in fz_free /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:187:2
#2 0x7fba6a8d0a0c in fz_decomp_image_from_stream /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:330:3
#3 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
#4 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
#5 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
#6 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
#7 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
#8 0x51d503 in drawband /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
#9 0x51b026 in dodrawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
#10 0x51edba in drawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
#11 0x51825b in drawrange /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
#12 0x514aa1 in mudraw_main /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
#13 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/source/tools/mutool.c:110:12
#14 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
previously allocated by thread T0 here:
#0 0x4d6f68 in malloc /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
#1 0x7fba6a80c08f in do_scavenging_malloc /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:17:7
#2 0x7fba6a80c08f in fz_malloc_array /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:80
#3 0x7fba6a8cfd40 in fz_decomp_image_from_stream /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:268:13
#4 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
#5 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
#6 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
#7 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
#8 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
#9 0x51d503 in drawband /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
#10 0x51b026 in dodrawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
#11 0x51edba in drawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
#12 0x51825b in drawrange /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
#13 0x514aa1 in mudraw_main /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
#14 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/source/tools/mutool.c:110:12
#15 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12 in
fz_subsample_pixmap
Shadow bytes around the buggy address:
0x0c187fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff9570: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
0x0c187fff9590: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff95a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff95b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187fff95c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17100==ABORTING
Affected version:
1.10a
Fixed version:
1.11 (that will be released in march)
Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Reproducer:
https://github.com/asarubbo/poc/blob/master/00149-mupdf-UAF-fz_subsample_pixmap
Timeline:
2017-02-06: bug discovered and reported to upstream
2017-02-09: upstream released a patch
2017-02-09: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c
--
Agostino Sarubbo
Gentoo Linux Developer
Current thread:
- mupdf: use-after-free in fz_subsample_pixmap (pixmap.c) Agostino Sarubbo (Feb 10)
- Re: mupdf: use-after-free in fz_subsample_pixmap (pixmap.c) Agostino Sarubbo (Mar 26)