[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Feb 2017 09:37:08 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)
Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.
A fuzzing through mutool revealed a use-after-free. It seems that a fix for
the recent heap overflow in fz_subsample_pixmap fixes this issue too.
The complete ASan output:
# mutool draw $FILE
==17100==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c00000abb6 at pc 0x7fba6a8cee53 bp 0x7ffedf859700 sp 0x7ffedf8596f8
READ of size 1 at 0x60c00000abb6 thread T0
#0 0x7fba6a8cee52 in fz_subsample_pixmap /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12
#1 0x7fba6a8d4dfa in fz_get_pixmap_from_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:686:3
#2 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
#3 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
#4 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
#5 0x51d503 in drawband /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
#6 0x51b026 in dodrawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
#7 0x51edba in drawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
#8 0x51825b in drawrange /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
#9 0x514aa1 in mudraw_main /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
#10 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/source/tools/mutool.c:110:12
#11 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#12 0x41e1a8 in _init (/usr/bin/mutool+0x41e1a8)
0x60c00000abb6 is located 1 bytes to the right of 117-byte region
[0x60c00000ab40,0x60c00000abb5)
freed by thread T0 here:
#0 0x4d6c10 in free /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47
#1 0x7fba6a810878 in fz_free /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:187:2
#2 0x7fba6a8d0a0c in fz_decomp_image_from_stream /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:330:3
#3 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
#4 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
#5 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
#6 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
#7 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
#8 0x51d503 in drawband /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
#9 0x51b026 in dodrawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
#10 0x51edba in drawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
#11 0x51825b in drawrange /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
#12 0x514aa1 in mudraw_main /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
#13 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/source/tools/mutool.c:110:12
#14 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
previously allocated by thread T0 here:
#0 0x4d6f68 in malloc /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
#1 0x7fba6a80c08f in do_scavenging_malloc /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:17:7
#2 0x7fba6a80c08f in fz_malloc_array /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:80
#3 0x7fba6a8cfd40 in fz_decomp_image_from_stream /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:268:13
#4 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
#5 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
#6 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
#7 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
#8 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
#9 0x51d503 in drawband /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
#10 0x51b026 in dodrawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
#11 0x51edba in drawpage /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
#12 0x51825b in drawrange /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
#13 0x514aa1 in mudraw_main /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
#14 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/source/tools/mutool.c:110:12
#15 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/app-
text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12 in
fz_subsample_pixmap
Shadow bytes around the buggy address:
0x0c187fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff9570: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
0x0c187fff9590: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff95a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff95b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187fff95c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17100==ABORTING
Affected version:
1.10a
Fixed version:
1.11 (that will be released in march)
Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Reproducer:
https://github.com/asarubbo/poc/blob/master/00149-mupdf-UAF-fz_subsample_pixmap
Timeline:
2017-02-06: bug discovered and reported to upstream
2017-02-09: upstream released a patch
2017-02-09: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c
--
Agostino Sarubbo
Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
