Bug 697500

Summary: Null pointer dereference in fz_paint_pixmap_with_mask()
Product: MuPDF Reporter: Kamil Frankowicz <kamil.frankowicz>
Component: fitzAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: robin.watts
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: POC to trigger null pointer dereference (mutool)

Description Kamil Frankowicz 2017-01-24 12:47:22 UTC
Created attachment 13312 [details]
POC to trigger null pointer dereference (mutool)

After some fuzz testing I found a crashing test case.

Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642

To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null

ASAN:

==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
    #0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
    #1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
    #2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
    #3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
    #4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
    #5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
    #6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
    #7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
    #8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
    #9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
    #10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
    #11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
    #12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
    #13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
    #14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
    #15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
    #16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
    #17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
    #18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
    #19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
    #20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING
Comment 1 Robin Watts 2017-02-14 08:22:36 UTC
Fixed in:

commit 1912de5f08e90af1d9d0a9791f58ba3afdb9d465
Author: Robin Watts <robin.watts@artifex.com>
Date:   Thu Feb 9 15:49:15 2017 +0000

    Bug 697500: Fix NULL ptr access.

    Cope better with errors during rendering - avoid letting the
    gstate stack get out of sync.

    This avoids us ever getting into the situation of popping
    a clip when we should be popping a mask or a group. This was
    causing an unexpected case in the painting.