oss-sec mailing list archives
CVE request:Heap overflow vulns in MuPDF
From: redrain root <rootredrain () gmail com>
Date: Wed, 3 Aug 2016 13:14:50 +0800
Title: Heap overflow vulns in MuPDF Author: Yu Hong, yu.hong () chaitin com;Zheng Jihong,jihong.zheng () chaitin com Data: 2016-08-01 Dowload Site: http://ghostscript.com/download;http://mupdf.com/downloads/ Vendor: Ghostscript ---------------------------------------------------------- Vulnerability: Recently,I found a heap overflow vulnerability that cause this crash . I thought it a dangerous vulnerability because there are so many function point in the heap and the program have important the function "system". The location of this vulnerability is at "pdf_load_mesh_params" function,at "source/pdf/pdf-shade.c" . obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode); if (pdf_array_len(ctx, obj) >= 6) { n = (pdf_array_len(ctx, obj) - 4) / 2; shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0)); shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1)); shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2)); shade->u.m.y1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 3)); for (i = 0; i < n; i++) { shade->u.m.c0[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 4 + i * 2)); shade->u.m.c1[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 5 + i * 2)); } } the length of array return from "pdf_array_len" not be checked. But the max size of "shade->u.m.C0/C1" is defined as a macro(32 as default). So if I make a pdf which have a large decode array. This code will cause a heap overflow . And the overflow data could be control, And on the memory I overflow , I found a struct which full of function point. Maybe I can let it point to got table for a chance to call "system" issue: http://bugs.ghostscript.com/show_bug.cgi?id=696954 fix code: http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e PoC: reference attachment --from redrain 祝好
Attachment:
p.pdf
Description:
Current thread:
- CVE request:Heap overflow vulns in MuPDF redrain root (Aug 02)
- Re: CVE request:Heap overflow vulns in MuPDF cve-assign (Aug 03)