Vulners
Lucene search
Artifex MuPDF - Null Pointer Dereference
Source: https://bugs.ghostscript.com/show_bug.cgi?id=697500
POC to trigger null pointer dereference (mutool)
After some fuzz testing I found a crashing test case.
Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642
To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null
ASAN:
==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
#0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
#1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
#2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
#3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
#4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
#5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
#6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
#7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
#8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
#9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
#10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
#11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
#12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
#13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
#14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
#15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
#16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
#17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
#18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
#19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
#20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42138.zipData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jun 2017 00:00Current
7.4High risk
Vulners AI Score7.4