Artifex MuPDF - Null Pointer Dereference

EDB-ID:

42138




Platform:

Linux

Date:

2017-06-07


Source: https://bugs.ghostscript.com/show_bug.cgi?id=697500

POC to trigger null pointer dereference (mutool)

After some fuzz testing I found a crashing test case.

Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642

To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null

ASAN:

==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
    #0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
    #1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
    #2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
    #3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
    #4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
    #5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
    #6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
    #7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
    #8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
    #9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
    #10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
    #11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
    #12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
    #13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
    #14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
    #15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
    #16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
    #17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
    #18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
    #19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
    #20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42138.zip