[CVE-2016-6265] MuPDF library use after free
Sometimes as part of other library/products fuzzing you have some collateral bugs in other libraries, this bug is one of them, in the MuPDF library, which as far as I know it’s used in quite some free Android PDF readers for example.
report link
http://bugs.ghostscript.com/show_bug.cgi?id=696941
reproducer
ASAN report
➜ mupdf ./mupdf_debug/build/debug/mupdf-x11 mucrash1.pdf 2>&1 | asan_symbolize-3.8
warning: broken xref section, proceeding anyway.
=================================================================
==24575==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700000fda8 at pc 0x0000006b0a54 bp 0x7ffcb040dbb0 sp 0x7ffcb040dba8
READ of size 4 at 0x61700000fda8 thread T0
#0 0x6b0a53 in pdf_load_xref /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1188
#1 0x6b0a53 in ?? ??:0
#2 0x6aac73 in pdf_init_document /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1440
#3 0x6aac73 in ?? ??:0
#4 0x6ad4ae in pdf_open_document /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:2347
#5 0x6ad4ae in ?? ??:0
#6 0x5183d2 in fz_open_document /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/document.c:129
#7 0x5183d2 in ?? ??:0
#8 0x4fbb2b in pdfapp_open_progressive /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:317
#9 0x4fbb2b in ?? ??:0
#10 0x4fb708 in pdfapp_open /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:213
#11 0x4fb708 in ?? ??:0
#12 0x4f01df in main /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/x11_main.c:888
#13 0x4f01df in ?? ??:0
#14 0x7f6b723ef82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#15 0x7f6b723ef82f in ?? ??:0
#16 0x41ad98 in _start ??:?
#17 0x41ad98 in ?? ??:0
0x61700000fda8 is located 296 bytes inside of 768-byte region [0x61700000fc80,0x61700000ff80)
freed by thread T0 here:
#0 0x4bad40 in __interceptor_cfree.localalias.0 asan_malloc_linux.cc.o:?
#1 0x4bad40 in ?? ??:0
#2 0x516018 in fz_free_default /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:225
#3 0x516018 in ?? ??:0
previously allocated by thread T0 here:
#0 0x4baec8 in malloc ??:?
#1 0x4baec8 in ?? ??:0
#2 0x515f68 in fz_malloc_default /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:213
#3 0x515f68 in ?? ??:0
#4 0x6b9aae in pdf_xref_find_subsection /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:740
#5 0x6b9aae in ?? ??:0
SUMMARY: AddressSanitizer: heap-use-after-free (/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/build/debug/mupdf-x11+0x6b0a53)
Shadow bytes around the buggy address:
0x0c2e7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff9fb0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24575==ABORTING