漏洞概述 漏洞编号: #802590 漏洞名称: Artifex MuPDF 1.28 Out-of-Bounds Read 漏洞类型: 堆缓冲区溢出(Heap-buffer-overflow) 漏洞描述: 在 的 函数中,当处理 字体时,如果 返回的 值大于 ,会导致 函数读取超出分配内存范围的数据。具体来说, 会读取 返回的 个字节,而这些字节可能超出了 分配的内存范围,从而导致堆缓冲区溢出。 影响范围 受影响版本: Artifex MuPDF 1.28 及更早版本 影响组件: 字体处理模块 修复方案 修复状态: 已接受(Accepted) 修复版本: 尚未提供具体修复版本 修复建议: 在 函数中增加对 值的验证,确保其不超过 ,避免读取超出分配内存范围的数据。 POC代码 ```plaintext Heap out-of-bounds read in fz_subset_cff_for_gids via off-by-one in index_load validation index_load() in subset-cff.c validates that the last CFF INDEX offset does not exceed the total CFF buffer length, but the memory in do_subset() reads using absolute positions computed by index_get(), which adds the INDEX's data_offset. Since data_offset > 0 for any INDEX that does not begin at byte 0 of the CFF, a crafted CFF with v_last = len passes the validation check while index_get(count) = data_offset + len > len, causing do_subset() to memory past the end of the allocated CFF buffer. Version: 1.28.0 Commit: 8dd9cc0108c38c409f301361f83f11539c68ef Root cause (subset-cff.c, index_load()), line 315 — "data_offset uses v_last = v if (v > len) fz_throw(ctx, FZ_ERROR_FORMAT, "Truncated index");" // index_load(), line 297 — data_offset absorbs the INDEX base position + index_offset = data_offset + offset; // offset > 0 always / // index_get()), line 337 — absolute position adds data_offset back / return index-data_offset + v; // " data_offset + len > len" // do_subset()), line 800 — reads using the OOB absolute position / memcpy(strings + fill, &cfs->base[offset], end - offset); The check at line 315 compares the raw relative offset v against len (total CFF size), but index_get() returns data_offset + v (an absolute file position). With data_offset = 38 and v_last = len = 1040, index_get(count) = 1078, so do_subset() reads 1039 bytes starting at position 39 of a 1041-byte allocation, overflowing the heap right needle by 37 bytes. Run: ASAN_OPTIONS=abort_on_error=0 .../mutool clean -S poc_subset-cff_indexload_oob_read.pdf /tmp/poc_out.pdf Sanitizer output: ASAN_OPTIONS=abort_on_error=0 mutool clean -S poc_subset-cff_indexload_oob_read.pdf /tmp/poc_out.pdf 2>&1 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: