Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Aug 2016 13:14:50 +0800
From: redrain root <rootredrain@...il.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE request:Heap overflow vulns in MuPDF

Title: Heap overflow vulns in MuPDF
Author: Yu Hong, yu.hong@...itin.com;Zheng Jihong,jihong.zheng@...itin.com
Data: 2016-08-01
Dowload Site: http://ghostscript.com/download;http://mupdf.com/downloads/
Vendor: Ghostscript
----------------------------------------------------------
Vulnerability:
Recently,I found a heap overflow vulnerability that cause this crash .
I thought it a dangerous vulnerability because there are so many function
point in the heap and the program have important the function "system".

The location of this vulnerability is at "pdf_load_mesh_params" function,at
 "source/pdf/pdf-shade.c" .

obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
if (pdf_array_len(ctx, obj) >= 6)
{
n = (pdf_array_len(ctx, obj) - 4) / 2;
shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
shade->u.m.y1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 3));
for (i = 0; i < n; i++)
{
shade->u.m.c0[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 4 + i * 2));
shade->u.m.c1[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 5 + i * 2));
}
}



the length of array return from "pdf_array_len"  not be checked. But the
max size of "shade->u.m.C0/C1" is defined as a macro(32 as default). So if
I make a pdf which have a large decode array. This code will cause a heap
overflow .

And the overflow data could be control, And on the memory I overflow , I
found a struct which full of function point. Maybe I can let it point to
got table for a chance to call "system"

issue:
http://bugs.ghostscript.com/show_bug.cgi?id=696954

fix code:
http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e

PoC:

reference attachment

--from redrain 祝好

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/pdf SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ