Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Aug 2016 13:14:50 +0800
From: redrain root <>
Subject: CVE request:Heap overflow vulns in MuPDF

Title: Heap overflow vulns in MuPDF
Author: Yu Hong,;Zheng Jihong,
Data: 2016-08-01
Dowload Site:;
Vendor: Ghostscript
Recently,I found a heap overflow vulnerability that cause this crash .
I thought it a dangerous vulnerability because there are so many function
point in the heap and the program have important the function "system".

The location of this vulnerability is at "pdf_load_mesh_params" function,at
 "source/pdf/pdf-shade.c" .

obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
if (pdf_array_len(ctx, obj) >= 6)
n = (pdf_array_len(ctx, obj) - 4) / 2;
shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
shade->u.m.y1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 3));
for (i = 0; i < n; i++)
shade->u.m.c0[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 4 + i * 2));
shade->u.m.c1[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 5 + i * 2));

the length of array return from "pdf_array_len"  not be checked. But the
max size of "shade->u.m.C0/C1" is defined as a macro(32 as default). So if
I make a pdf which have a large decode array. This code will cause a heap
overflow .

And the overflow data could be control, And on the memory I overflow , I
found a struct which full of function point. Maybe I can let it point to
got table for a chance to call "system"


fix code:;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e


reference attachment

--from redrain 祝好


[ CONTENT OF TYPE application/pdf SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ