Bugzilla – Bug 1029125
VUL-0: CVE-2016-10246: mupdf: mujstest: global-buffer-overflow in main (jstest_main.c)
Last modified: 2017-08-02 10:47:28 UTC
CVE-2016-10246 mupdf: mujstest: global-buffer-overflow in main (jstest_main.c) Posted on September 24, 2016 by ago Description: Mujstest, which is part of mupdf is a scriptable tester for mupdf + js. A fuzzing revealed a global buffer overflow write. The complete ASan output: # mujstest $FILE ================================================================= ==2244==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013c6140 at pc 0x000000473526 bp 0x7fff866f77d0 sp 0x7fff866f6f80 WRITE of size 1181 at 0x0000013c6140 thread T0 #0 0x473525 in __interceptor_strcpy /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:547 #1 0x4f7910 in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:353:6 #2 0x7f3a6c18661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8) 0x0000013c6140 is located 0 bytes to the right of global variable 'filename' defined in 'platform/x11/jstest_main.c:15:13' (0x13c5d40) of size 1024 SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:547 in __interceptor_strcpy Shadow bytes around the buggy address: 0x000080270bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080270be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080270bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080270c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080270c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x000080270c20: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 0x000080270c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080270c40: f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x000080270c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080270c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080270c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2244==ABORTING Affected version: 1.9a Fixed version: 1.10 Commit fix: http://git.ghostscript.com/?p=mupdf.git;h=cfe8f35bca61056363368c343be36812abde0a06 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. References: https://blogs.gentoo.org/ago/2016/09/24/mupdf-mujstest-global-buffer-overflow-in-main-jstest_main-c/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10246 http://seclists.org/oss-sec/2017/q1/605
We don't ship mujstest.