Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589826 (CVE-2016-6265) - <app-text/mupdf-1.10a: use-after-free (CVE-2016-6265)
Summary: <app-text/mupdf-1.10a: use-after-free (CVE-2016-6265)
Alias: CVE-2016-6265
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on:
Reported: 2016-07-27 09:30 UTC by Agostino Sarubbo
Modified: 2017-02-19 12:50 UTC (History)
1 user (show)

See Also:
Package list:
=app-text/mupdf-1.10a =dev-lang/mujs-0_p20161202 arm ppc =app-text/llpp-23 amd64 ppc x86
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-27 09:30:38 UTC
From ${URL} :


I disclosed a UAF in MuPDF, you can find the reproducer and report here:

I put a partially symbolicated ASAN report here for reference



➜  mupdf ./mupdf_debug/build/debug/mupdf-x11 mucrash1.pdf 2>&1 |
warning: broken xref section, proceeding anyway.
==24575==ERROR: AddressSanitizer: heap-use-after-free on address
0x61700000fda8 at pc 0x0000006b0a54 bp 0x7ffcb040dbb0 sp 0x7ffcb040dba8
READ of size 4 at 0x61700000fda8 thread T0
    #0 0x6b0a53 in pdf_load_xref
    #1 0x6b0a53 in ?? ??:0
    #2 0x6aac73 in pdf_init_document
    #3 0x6aac73 in ?? ??:0
    #4 0x6ad4ae in pdf_open_document
    #5 0x6ad4ae in ?? ??:0
    #6 0x5183d2 in fz_open_document
    #7 0x5183d2 in ?? ??:0
    #8 0x4fbb2b in pdfapp_open_progressive
    #9 0x4fbb2b in ?? ??:0
    #10 0x4fb708 in pdfapp_open
    #11 0x4fb708 in ?? ??:0
    #12 0x4f01df in main
    #13 0x4f01df in ?? ??:0
    #14 0x7f6b723ef82f in __libc_start_main
    #15 0x7f6b723ef82f in ?? ??:0
    #16 0x41ad98 in _start ??:?
    #17 0x41ad98 in ?? ??:0

0x61700000fda8 is located 296 bytes inside of 768-byte region
freed by thread T0 here:
    #0 0x4bad40 in __interceptor_cfree.localalias.0
    #1 0x4bad40 in ?? ??:0
    #2 0x516018 in fz_free_default
    #3 0x516018 in ?? ??:0

previously allocated by thread T0 here:
    #0 0x4baec8 in malloc ??:?
    #1 0x4baec8 in ?? ??:0
    #2 0x515f68 in fz_malloc_default
    #3 0x515f68 in ?? ??:0
    #4 0x6b9aae in pdf_xref_find_subsection
    #5 0x6b9aae in ?? ??:0

SUMMARY: AddressSanitizer: heap-use-after-free
Shadow bytes around the buggy address:
  0x0c2e7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff9fb0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 afarah 2016-10-12 01:37:02 UTC
There's a fix upstream for three months now.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-11-26 01:39:02 UTC
CVE-2016-6265 (
  Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf-xref.c
  in MuPDF allows remote attackers to cause a denial of service (crash) via a
  crafted PDF file.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 01:45:51 UTC
Fixed in version 1.10 upstream.
Comment 4 charles17 2016-12-20 07:37:10 UTC
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-01-23 00:34:01 UTC
Version containing fixes (1.10a) is in tree now.

commit 290927105365ff1f2374f383d7135ecf17f41cb1
Author: Michael Weber <>
Date:   Mon Jan 23 01:31:02 2017 +0100

    app-text/mupdf: Version bump (, thanks charIes17).
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-23 14:48:33 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-23 14:49:05 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-24 05:27:41 UTC
Stable for HPPA PPC64.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-26 11:01:18 UTC
ppc stable
Comment 10 Michael Weber (RETIRED) gentoo-dev 2017-02-01 07:43:01 UTC
@arm: ping! Users are getting edgy,
Comment 11 Markus Meier gentoo-dev 2017-02-05 16:58:55 UTC
arm stable, all arches done.
Comment 12 Michael Weber (RETIRED) gentoo-dev 2017-02-05 17:26:07 UTC
commit 2af6b2174d988ef90e8178a6c13839d33af70f35
Author: Michael Weber <>
Date:   Sun Feb 5 18:24:55 2017 +0100

    app-text/mupdf: Remove old versions (bug 600674, 590480, 589826).
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-02-05 22:38:06 UTC
added to GLSA.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:50:45 UTC
This issue was resolved and addressed in
 GLSA 201702-12 at
by GLSA coordinator Thomas Deutschmann (whissi).