Bug 1029126 (CVE-2016-10247)

Summary: VUL-0: CVE-2016-10247: mupdf: mujstest: global-buffer-overflow in my_getline (jstest_main.c)
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Ismail Dönmez <ismail>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jsegitz, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 42.2   
URL: https://smash.suse.de/issue/181627/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2017-03-13 13:39:40 UTC 
CVE-2016-10247

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A fuzzing revealed a global buffer overflow write.

The complete ASan output:

# mujstest $FILE
==1278==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013c7280 at pc 0x0000004fa432 bp 0x7ffea75837d0 sp 0x7ffea75837c8
WRITE of size 1 at 0x0000013c7280 thread T0
    #0 0x4fa431 in my_getline /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:214:5
    #1 0x4fa431 in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:335
    #2 0x7fb62229661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8)

0x0000013c7280 is located 0 bytes to the right of global variable 'getline_buffer' defined in 'platform/x11/jstest_main.c:24:13' (0x13c6280) of size 4096
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:214:5 in my_getline
Shadow bytes around the buggy address:
  0x000080270e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080270e50:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270ea0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1278==ABORTING
Affected version:
1.9a

Fixed version:
1.10

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=446097f97b71ce20fa8d1e45e070f2e62676003e

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

References:
https://blogs.gentoo.org/ago/2016/09/24/mupdf-mujstest-global-buffer-overflow-in-my_getline-jstest_main-c/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10247
http://seclists.org/oss-sec/2017/q1/604
Comment 1 Ismail Dönmez 2017-08-02 10:47:20 UTC 
We don't ship mujstest.