A build with ASAN with the unstable version shows:
ASAN_OPTIONS="detect_leaks=0" ./build/debian/mutool convert -o /tmp/out.pdf
~/699685
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
Corrupt JPEG data: premature end of data segment
Corrupt JPEG data: premature end of data segment
=================================================================
==10393==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x615000000ce4 at pc 0x564ea54db2f0 bp 0x7ffcba056c20 sp 0x7ffcba056c18
READ of size 4 at 0x615000000ce4 thread T0
#0 0x564ea54db2ef in pdf_dev_alpha source/pdf/pdf-device.c:288
#1 0x564ea54df408 in pdf_dev_stroke_path source/pdf/pdf-device.c:656
#2 0x564ea5337de2 in fz_stroke_path source/fitz/device.c:133
#3 0x564ea563b356 in pdf_show_path source/pdf/pdf-op-run.c:707
#4 0x564ea5645b80 in pdf_run_S source/pdf/pdf-op-run.c:1775
#5 0x564ea5613e0c in pdf_process_keyword source/pdf/pdf-interpret.c:622
#6 0x564ea5617e5e in pdf_process_stream source/pdf/pdf-interpret.c:937
#7 0x564ea5618833 in pdf_process_contents source/pdf/pdf-interpret.c:1031
#8 0x564ea5525f58 in pdf_run_page_contents_with_usage
source/pdf/pdf-run.c:100
#9 0x564ea5526462 in pdf_run_page_contents source/pdf/pdf-run.c:129
#10 0x564ea533ce9c in fz_run_page_contents source/fitz/document.c:393
#11 0x564ea533d16d in fz_run_page source/fitz/document.c:425
#12 0x564ea52c5233 in runpage source/tools/muconvert.c:80
#13 0x564ea52c5693 in runrange source/tools/muconvert.c:103
#14 0x564ea52c6110 in muconvert_main source/tools/muconvert.c:185
#15 0x564ea52c4946 in main source/tools/mutool.c:132
#16 0x7fa6a3f2b09a in __libc_start_main ../csu/libc-start.c:308
#17 0x564ea52c4169 in _start
(/build/mupdf-1.14.0+ds1/build/debian/mutool+0xfd169)
0x615000000ce4 is located 28 bytes to the left of 512-byte region
[0x615000000d00,0x615000000f00)
allocated by thread T0 here:
#0 0x7fa6a4cf3740 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9740)
#1 0x564ea540a500 in fz_realloc_default source/fitz/memory.c:227
#2 0x564ea5409b50 in do_scavenging_realloc source/fitz/memory.c:43
#3 0x564ea540a127 in fz_resize_array source/fitz/memory.c:172
#4 0x564ea54dc51d in pdf_dev_push_new_buf source/pdf/pdf-device.c:396
#5 0x564ea54dc9db in pdf_dev_push source/pdf/pdf-device.c:414
#6 0x564ea54df51a in pdf_dev_clip_path source/pdf/pdf-device.c:671
#7 0x564ea5338152 in fz_clip_path source/fitz/device.c:154
#8 0x564ea563c419 in pdf_show_path source/pdf/pdf-op-run.c:786
#9 0x564ea564316a in pdf_run_xobject source/pdf/pdf-op-run.c:1425
#10 0x564ea5648c17 in pdf_run_Do_form source/pdf/pdf-op-run.c:2141
#11 0x564ea5610b8c in pdf_process_Do source/pdf/pdf-interpret.c:332
#12 0x564ea56165c4 in pdf_process_keyword source/pdf/pdf-interpret.c:762
#13 0x564ea5617e5e in pdf_process_stream source/pdf/pdf-interpret.c:937
#14 0x564ea5618833 in pdf_process_contents source/pdf/pdf-interpret.c:1031
#15 0x564ea5525f58 in pdf_run_page_contents_with_usage
source/pdf/pdf-run.c:100
#16 0x564ea5526462 in pdf_run_page_contents source/pdf/pdf-run.c:129
#17 0x564ea533ce9c in fz_run_page_contents source/fitz/document.c:393
#18 0x564ea533d16d in fz_run_page source/fitz/document.c:425
#19 0x564ea52c5233 in runpage source/tools/muconvert.c:80
#20 0x564ea52c5693 in runrange source/tools/muconvert.c:103
#21 0x564ea52c6110 in muconvert_main source/tools/muconvert.c:185
#22 0x564ea52c4946 in main source/tools/mutool.c:132
#23 0x7fa6a3f2b09a in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow source/pdf/pdf-device.c:288 in
pdf_dev_alpha
Shadow bytes around the buggy address:
0x0c2a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c2a7fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10393==ABORTING
and
ASAN_OPTIONS="detect_leaks=0" ./build/debian/mutool convert -o /tmp/out.pdf
~/699686
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
Corrupt JPEG data: premature end of data segment
Corrupt JPEG data: premature end of data segment
error: unknown colorspace: DevicbGray
error: too few sample function dimension sizes
error: stitching function has no bounds
warning: ignoring zlib error: incorrect data check
warning: ... repeated 2 times ...
warning: object out of range (0 0 R); xref size 69
=================================================================
==10394==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000016350
at pc 0x55b90db8bbe0 bp 0x7ffc6290a9c0 sp 0x7ffc6290a9b8
READ of size 4 at 0x604000016350 thread T0
#0 0x55b90db8bbdf in fz_keep_imp source/fitz/fitz-imp.h:139
#1 0x55b90db8c6b4 in fz_keep_buffer source/fitz/buffer.c:113
#2 0x55b90dda1be1 in pdf_load_raw_stream_number source/pdf/pdf-stream.c:479
#3 0x55b90ddb02a1 in copystream source/pdf/pdf-write.c:1677
#4 0x55b90ddb2012 in writeobject source/pdf/pdf-write.c:1925
#5 0x55b90ddb4c6e in dowriteobject source/pdf/pdf-write.c:2228
#6 0x55b90ddb50d6 in writeobjects source/pdf/pdf-write.c:2260
#7 0x55b90ddbbdc5 in do_pdf_save_document source/pdf/pdf-write.c:3044
#8 0x55b90ddbcecf in pdf_save_document source/pdf/pdf-write.c:3187
#9 0x55b90ddbd987 in pdf_writer_close_writer source/pdf/pdf-write.c:3354
#10 0x55b90dd06d71 in fz_close_document_writer source/fitz/writer.c:168
#11 0x55b90db3d152 in muconvert_main source/tools/muconvert.c:190
#12 0x55b90db3b946 in main source/tools/mutool.c:132
#13 0x7fde3c32d09a in __libc_start_main ../csu/libc-start.c:308
#14 0x55b90db3b169 in _start
(/build/mupdf-1.14.0+ds1/build/debian/mutool+0xfd169)
0x604000016350 is located 0 bytes inside of 40-byte region
[0x604000016350,0x604000016378)
freed by thread T0 here:
#0 0x7fde3d0f4fd0 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fd0)
#1 0x55b90dc8151e in fz_free_default source/fitz/memory.c:233
#2 0x55b90dc8144f in fz_free source/fitz/memory.c:204
#3 0x55b90db8c77a in fz_drop_buffer source/fitz/buffer.c:123
#4 0x55b90ddbd758 in pdf_writer_end_page source/pdf/pdf-write.c:3341
#5 0x55b90dd07009 in fz_end_page source/fitz/writer.c:205
#6 0x55b90db3c39a in runpage source/tools/muconvert.c:85
#7 0x55b90db3c693 in runrange source/tools/muconvert.c:103
#8 0x55b90db3d110 in muconvert_main source/tools/muconvert.c:185
#9 0x55b90db3b946 in main source/tools/mutool.c:132
#10 0x7fde3c32d09a in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7fde3d0f5350 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9350)
#1 0x55b90dc814d7 in fz_malloc_default source/fitz/memory.c:221
#2 0x55b90dc80914 in do_scavenging_malloc source/fitz/memory.c:23
#3 0x55b90dc8101b in fz_calloc source/fitz/memory.c:125
#4 0x55b90db8bd02 in fz_new_buffer source/fitz/buffer.c:13
#5 0x55b90dd5aa8f in pdf_page_write source/pdf/pdf-device.c:1152
#6 0x55b90ddbd300 in pdf_writer_begin_page source/pdf/pdf-write.c:3320
#7 0x55b90dd06f3d in fz_begin_page source/fitz/writer.c:192
#8 0x55b90db3c14a in runpage source/tools/muconvert.c:79
#9 0x55b90db3c693 in runrange source/tools/muconvert.c:103
#10 0x55b90db3d110 in muconvert_main source/tools/muconvert.c:185
#11 0x55b90db3b946 in main source/tools/mutool.c:132
#12 0x7fde3c32d09a in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/fitz-imp.h:139 in
fz_keep_imp
Shadow bytes around the buggy address:
0x0c087fffac10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fffac20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fffac30: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fffac40: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fffac50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fffac60: fa fa 00 00 00 00 00 fa fa fa[fd]fd fd fd fd fa
0x0c087fffac70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fffac80: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fffac90: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fffaca0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fffacb0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10394==ABORTING
and after applying the patches:
ASAN_OPTIONS="detect_leaks=0" ./build/debian/mutool convert -o /tmp/out.pdf
~/699685
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
Corrupt JPEG data: premature end of data segment
Corrupt JPEG data: premature end of data segment
error: unknown colorspace: DevicbGray
error: too few sample function dimension sizes
error: stitching function has no bounds
warning: ignoring zlib error: incorrect data check
warning: ... repeated 2 times ...
ASAN_OPTIONS="detect_leaks=0" ./build/debian/mutool convert -o /tmp/out.pdf
~/699686
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
Corrupt JPEG data: premature end of data segment
Corrupt JPEG data: premature end of data segment
error: unknown colorspace: DevicbGray
error: too few sample function dimension sizes
error: stitching function has no bounds
warning: ignoring zlib error: incorrect data check
warning: ... repeated 2 times ...
The point of writing this followup in the bug is that applying those patches in
a normal build for mupdf, and running the poc under valgrind shows the same
backtrages.
Regards,
Salvatore
==10681== Memcheck, a memory error detector
==10681== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10681== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10681== Command: mutool convert -o /tmp/out.pdf /build/699685
==10681==
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
==10681== Invalid read of size 4
==10681== at 0x1BCA4A: fz_format_string (printf.c:338)
==10681== by 0x162948: fz_append_printf (buffer.c:372)
==10681== by 0x1EF2BD: pdf_new_pdf_device (pdf-device.c:1135)
==10681== by 0x1EF3DF: pdf_page_write (pdf-device.c:1153)
==10681== by 0x1D5EE4: fz_begin_page (writer.c:192)
==10681== by 0x14154F: runpage (muconvert.c:79)
==10681== by 0x141629: runrange (muconvert.c:103)
==10681== by 0x14198F: muconvert_main (muconvert.c:185)
==10681== by 0x53B709A: (below main) (libc-start.c:308)
==10681== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==10681==
==10681==
==10681== Process terminating with default action of signal 11 (SIGSEGV)
==10681== Access not within mapped region at address 0x1
==10681== at 0x1BCA4A: fz_format_string (printf.c:338)
==10681== by 0x162948: fz_append_printf (buffer.c:372)
==10681== by 0x1EF2BD: pdf_new_pdf_device (pdf-device.c:1135)
==10681== by 0x1EF3DF: pdf_page_write (pdf-device.c:1153)
==10681== by 0x1D5EE4: fz_begin_page (writer.c:192)
==10681== by 0x14154F: runpage (muconvert.c:79)
==10681== by 0x141629: runrange (muconvert.c:103)
==10681== by 0x14198F: muconvert_main (muconvert.c:185)
==10681== by 0x53B709A: (below main) (libc-start.c:308)
==10681== If you believe this happened as a result of a stack
==10681== overflow in your program's main thread (unlikely but
==10681== possible), you can try to increase the size of the
==10681== main thread stack using the --main-stacksize= flag.
==10681== The main thread stack size used in this run was 8388608.
==10681==
==10681== HEAP SUMMARY:
==10681== in use at exit: 559,806 bytes in 2,883 blocks
==10681== total heap usage: 5,792 allocs, 2,909 frees, 719,069 bytes allocated
==10681==
==10681== LEAK SUMMARY:
==10681== definitely lost: 0 bytes in 0 blocks
==10681== indirectly lost: 0 bytes in 0 blocks
==10681== possibly lost: 0 bytes in 0 blocks
==10681== still reachable: 559,806 bytes in 2,883 blocks
==10681== suppressed: 0 bytes in 0 blocks
==10681== Rerun with --leak-check=full to see details of leaked memory
==10681==
==10681== For counts of detected and suppressed errors, rerun with: -v
==10681== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==10683== Memcheck, a memory error detector
==10683== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10683== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10683== Command: mutool convert -o /tmp/out.pdf /build/699686
==10683==
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
==10683== Invalid read of size 4
==10683== at 0x1BCA4A: fz_format_string (printf.c:338)
==10683== by 0x162948: fz_append_printf (buffer.c:372)
==10683== by 0x1EF2BD: pdf_new_pdf_device (pdf-device.c:1135)
==10683== by 0x1EF3DF: pdf_page_write (pdf-device.c:1153)
==10683== by 0x1D5EE4: fz_begin_page (writer.c:192)
==10683== by 0x14154F: runpage (muconvert.c:79)
==10683== by 0x141629: runrange (muconvert.c:103)
==10683== by 0x14198F: muconvert_main (muconvert.c:185)
==10683== by 0x53B709A: (below main) (libc-start.c:308)
==10683== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==10683==
==10683==
==10683== Process terminating with default action of signal 11 (SIGSEGV)
==10683== Access not within mapped region at address 0x1
==10683== at 0x1BCA4A: fz_format_string (printf.c:338)
==10683== by 0x162948: fz_append_printf (buffer.c:372)
==10683== by 0x1EF2BD: pdf_new_pdf_device (pdf-device.c:1135)
==10683== by 0x1EF3DF: pdf_page_write (pdf-device.c:1153)
==10683== by 0x1D5EE4: fz_begin_page (writer.c:192)
==10683== by 0x14154F: runpage (muconvert.c:79)
==10683== by 0x141629: runrange (muconvert.c:103)
==10683== by 0x14198F: muconvert_main (muconvert.c:185)
==10683== by 0x53B709A: (below main) (libc-start.c:308)
==10683== If you believe this happened as a result of a stack
==10683== overflow in your program's main thread (unlikely but
==10683== possible), you can try to increase the size of the
==10683== main thread stack using the --main-stacksize= flag.
==10683== The main thread stack size used in this run was 8388608.
==10683==
==10683== HEAP SUMMARY:
==10683== in use at exit: 559,806 bytes in 2,883 blocks
==10683== total heap usage: 5,792 allocs, 2,909 frees, 719,069 bytes allocated
==10683==
==10683== LEAK SUMMARY:
==10683== definitely lost: 0 bytes in 0 blocks
==10683== indirectly lost: 0 bytes in 0 blocks
==10683== possibly lost: 0 bytes in 0 blocks
==10683== still reachable: 559,806 bytes in 2,883 blocks
==10683== suppressed: 0 bytes in 0 blocks
==10683== Rerun with --leak-check=full to see details of leaked memory
==10683==
==10683== For counts of detected and suppressed errors, rerun with: -v
==10683== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==10681== Memcheck, a memory error detector
==10681== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10681== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10681== Command: mutool convert -o /tmp/out.pdf /build/699685
==10681==
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
==10681== Invalid read of size 4
==10681== at 0x1BBD2A: fz_format_string (printf.c:338)
==10681== by 0x1616A8: fz_append_printf (buffer.c:372)
==10681== by 0x1EE584: pdf_new_pdf_device (pdf-device.c:1147)
==10681== by 0x1EE6AF: pdf_page_write (pdf-device.c:1164)
==10681== by 0x1D51B4: fz_begin_page (writer.c:192)
==10681== by 0x14029F: runpage (muconvert.c:79)
==10681== by 0x140379: runrange (muconvert.c:103)
==10681== by 0x1406DF: muconvert_main (muconvert.c:185)
==10681== by 0x50CD09A: (below main) (libc-start.c:308)
==10681== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==10681==
==10681==
==10681== Process terminating with default action of signal 11 (SIGSEGV)
==10681== Access not within mapped region at address 0x1
==10681== at 0x1BBD2A: fz_format_string (printf.c:338)
==10681== by 0x1616A8: fz_append_printf (buffer.c:372)
==10681== by 0x1EE584: pdf_new_pdf_device (pdf-device.c:1147)
==10681== by 0x1EE6AF: pdf_page_write (pdf-device.c:1164)
==10681== by 0x1D51B4: fz_begin_page (writer.c:192)
==10681== by 0x14029F: runpage (muconvert.c:79)
==10681== by 0x140379: runrange (muconvert.c:103)
==10681== by 0x1406DF: muconvert_main (muconvert.c:185)
==10681== by 0x50CD09A: (below main) (libc-start.c:308)
==10681== If you believe this happened as a result of a stack
==10681== overflow in your program's main thread (unlikely but
==10681== possible), you can try to increase the size of the
==10681== main thread stack using the --main-stacksize= flag.
==10681== The main thread stack size used in this run was 8388608.
==10681==
==10681== HEAP SUMMARY:
==10681== in use at exit: 561,830 bytes in 2,884 blocks
==10681== total heap usage: 5,792 allocs, 2,908 frees, 719,061 bytes allocated
==10681==
==10681== LEAK SUMMARY:
==10681== definitely lost: 0 bytes in 0 blocks
==10681== indirectly lost: 0 bytes in 0 blocks
==10681== possibly lost: 0 bytes in 0 blocks
==10681== still reachable: 561,830 bytes in 2,884 blocks
==10681== suppressed: 0 bytes in 0 blocks
==10681== Rerun with --leak-check=full to see details of leaked memory
==10681==
==10681== For counts of detected and suppressed errors, rerun with: -v
==10681== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==10683== Memcheck, a memory error detector
==10683== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10683== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10683== Command: mutool convert -o /tmp/out.pdf /build/699686
==10683==
error: expected 'obj' keyword (0 65535 ?)
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring object with invalid object number (0 0 R)
warning: ... repeated 2 times ...
warning: expected 'endobj' or 'stream' keyword (32 0 R)
==10683== Invalid read of size 4
==10683== at 0x1BBD2A: fz_format_string (printf.c:338)
==10683== by 0x1616A8: fz_append_printf (buffer.c:372)
==10683== by 0x1EE584: pdf_new_pdf_device (pdf-device.c:1147)
==10683== by 0x1EE6AF: pdf_page_write (pdf-device.c:1164)
==10683== by 0x1D51B4: fz_begin_page (writer.c:192)
==10683== by 0x14029F: runpage (muconvert.c:79)
==10683== by 0x140379: runrange (muconvert.c:103)
==10683== by 0x1406DF: muconvert_main (muconvert.c:185)
==10683== by 0x50CD09A: (below main) (libc-start.c:308)
==10683== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==10683==
==10683==
==10683== Process terminating with default action of signal 11 (SIGSEGV)
==10683== Access not within mapped region at address 0x1
==10683== at 0x1BBD2A: fz_format_string (printf.c:338)
==10683== by 0x1616A8: fz_append_printf (buffer.c:372)
==10683== by 0x1EE584: pdf_new_pdf_device (pdf-device.c:1147)
==10683== by 0x1EE6AF: pdf_page_write (pdf-device.c:1164)
==10683== by 0x1D51B4: fz_begin_page (writer.c:192)
==10683== by 0x14029F: runpage (muconvert.c:79)
==10683== by 0x140379: runrange (muconvert.c:103)
==10683== by 0x1406DF: muconvert_main (muconvert.c:185)
==10683== by 0x50CD09A: (below main) (libc-start.c:308)
==10683== If you believe this happened as a result of a stack
==10683== overflow in your program's main thread (unlikely but
==10683== possible), you can try to increase the size of the
==10683== main thread stack using the --main-stacksize= flag.
==10683== The main thread stack size used in this run was 8388608.
==10683==
==10683== HEAP SUMMARY:
==10683== in use at exit: 561,830 bytes in 2,884 blocks
==10683== total heap usage: 5,792 allocs, 2,908 frees, 719,061 bytes allocated
==10683==
==10683== LEAK SUMMARY:
==10683== definitely lost: 0 bytes in 0 blocks
==10683== indirectly lost: 0 bytes in 0 blocks
==10683== possibly lost: 0 bytes in 0 blocks
==10683== still reachable: 561,830 bytes in 2,884 blocks
==10683== suppressed: 0 bytes in 0 blocks
==10683== Rerun with --leak-check=full to see details of leaked memory
==10683==
==10683== For counts of detected and suppressed errors, rerun with: -v
==10683== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
diff -Nru mupdf-1.14.0+ds1/debian/changelog mupdf-1.14.0+ds1/debian/changelog
--- mupdf-1.14.0+ds1/debian/changelog 2019-01-19 04:01:19.000000000 +0100
+++ mupdf-1.14.0+ds1/debian/changelog 2019-03-14 23:17:01.000000000 +0100
@@ -1,3 +1,13 @@
+mupdf (1.14.0+ds1-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Avoid being smart about keeping only a single reference to the buffer
+ (CVE-2018-16647) (Closes: #924351)
+ * Fix text used as clip mask in pdfwrite device (CVE-2018-16648)
+ (Closes: #924351)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Thu, 14 Mar 2019 23:17:01 +0100
+
mupdf (1.14.0+ds1-3) unstable; urgency=high
* d/patches: import upstream fixes for various bugs.
diff -Nru
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
---
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
1970-01-01 01:00:00.000000000 +0100
+++
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
2019-03-14 23:17:01.000000000 +0100
@@ -0,0 +1,79 @@
+From: Sebastian Rasmussen <seb...@gmail.com>
+Date: Mon, 1 Oct 2018 15:13:13 +0800
+Subject: Avoid being smart about keeping only a single reference to the
+ buffer.
+Origin:
http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16647
+Bug-Debian: https://bugs.debian.org/924351
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699686
+
+When pdf_dev_pop() is called it will drop the reference to the buffer.
+pdf_dev_push_new_buf() will either create a new buffer reference or take a
reference to the existing buffer.
+When pdf_dev_pop() is called unbalance this creates a problem as the
+top level buffer will be unreferenced too many times.
+
+fails-32.pdf
+---
+ source/pdf/pdf-device.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
+index 31a7a10f2722..0103e9a7d9be 100644
+--- a/source/pdf/pdf-device.c
++++ b/source/pdf/pdf-device.c
+@@ -66,7 +66,6 @@ struct pdf_device_s
+
+ pdf_document *doc;
+ pdf_obj *resources;
+- fz_buffer *buffer;
+
+ int in_text;
+
+@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
+ int i;
+
+ for (i = pdev->num_gstates-1; i >= 0; i--)
++ {
++ fz_drop_buffer(ctx, pdev->gstates[i].buf);
+ fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state);
++ }
+
+ for (i = pdev->num_cid_fonts-1; i >= 0; i--)
+ fz_drop_font(ctx, pdev->cid_fonts[i]);
+@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
+ for (i = pdev->num_groups - 1; i >= 0; i--)
+ pdf_drop_obj(ctx, pdev->groups[i].ref);
+
+- fz_drop_buffer(ctx, pdev->buffer);
+ pdf_drop_obj(ctx, pdev->resources);
+ fz_free(ctx, pdev->cid_fonts);
+ fz_free(ctx, pdev->image_indices);
+@@ -1111,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx,
pdf_document *doc, fz_matrix topc
+ dev->super.begin_tile = pdf_dev_begin_tile;
+ dev->super.end_tile = pdf_dev_end_tile;
+
++ fz_var(buf);
++
+ fz_try(ctx)
+ {
+- dev->buffer = fz_keep_buffer(ctx, buf);
+- if (!buf)
++ if (buf)
++ buf = fz_keep_buffer(ctx, buf);
++ else
+ buf = fz_new_buffer(ctx, 256);
+ dev->doc = doc;
+ dev->resources = pdf_keep_obj(ctx, resources);
+@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx,
pdf_document *doc, fz_matrix topc
+ }
+ fz_catch(ctx)
+ {
+- if (dev->gstates && dev->buffer == NULL)
+- fz_drop_buffer(ctx, dev->gstates[0].buf);
++ fz_drop_buffer(ctx, buf);
+ fz_free(ctx, dev);
+ fz_rethrow(ctx);
+ }
+--
+2.20.1
+
diff -Nru
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
---
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
1970-01-01 01:00:00.000000000 +0100
+++
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
2019-03-14 23:17:01.000000000 +0100
@@ -0,0 +1,50 @@
+From: Tor Andersson <tor.anders...@artifex.com>
+Date: Mon, 22 Oct 2018 17:16:35 +0200
+Subject: Fix text used as clip mask in pdfwrite device.
+Origin:
http://www.ghostscript.com/cgi-bin/findgit.cgi?38f883fe129a5e89306252a4676eaaf4bc968824
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16648
+Bug-Debian: https://bugs.debian.org/924351
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699685
+
+Push the clip state, and pass the correct text rendering mode state.
+---
+ source/pdf/pdf-device.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
+index 4dd729b8b981..427e3b389e7e 100644
+--- a/source/pdf/pdf-device.c
++++ b/source/pdf/pdf-device.c
+@@ -734,9 +734,13 @@ pdf_dev_clip_text(fz_context *ctx, fz_device *dev, const
fz_text *text, fz_matri
+ {
+ pdf_device *pdev = (pdf_device*)dev;
+ fz_text_span *span;
++
++ pdf_dev_end_text(ctx, pdev);
++ pdf_dev_push(ctx, pdev);
++
+ for (span = text->head; span; span = span->next)
+ {
+- pdf_dev_begin_text(ctx, pdev, span->trm, 0);
++ pdf_dev_begin_text(ctx, pdev, span->trm, 7);
+ pdf_dev_ctm(ctx, pdev, ctm);
+ pdf_dev_font(ctx, pdev, span->font);
+ pdf_dev_text_span(ctx, pdev, span);
+@@ -748,9 +752,13 @@ pdf_dev_clip_stroke_text(fz_context *ctx, fz_device *dev,
const fz_text *text, c
+ {
+ pdf_device *pdev = (pdf_device*)dev;
+ fz_text_span *span;
++
++ pdf_dev_end_text(ctx, pdev);
++ pdf_dev_push(ctx, pdev);
++
+ for (span = text->head; span; span = span->next)
+ {
+- pdf_dev_begin_text(ctx, pdev, span->trm, 0);
++ pdf_dev_begin_text(ctx, pdev, span->trm, 7);
+ pdf_dev_font(ctx, pdev, span->font);
+ pdf_dev_ctm(ctx, pdev, ctm);
+ pdf_dev_text_span(ctx, pdev, span);
+--
+2.20.1
+
diff -Nru mupdf-1.14.0+ds1/debian/patches/series
mupdf-1.14.0+ds1/debian/patches/series
--- mupdf-1.14.0+ds1/debian/patches/series 2019-01-19 03:39:00.000000000
+0100
+++ mupdf-1.14.0+ds1/debian/patches/series 2019-03-14 23:17:01.000000000
+0100
@@ -8,3 +8,5 @@
0008-PATCH-Fix-700043-Don-t-assume-a-font-is-t3-just-beca.patch
0009-PATCH-Bug-700442-Add-a-recursion-depth-check-to-prev.patch
0010-PATCH-Throw-when-page-number-is-out-of-range.patch
+0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
+0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
