Bug 698825

Summary: ASAN/valgrind complaint when rendering document
Product: MuPDF Reporter: Sebastian Rasmussen <sebastian.rasmussen>
Component: mupdfAssignee: Sebastian Rasmussen <sebastian.rasmussen>
Status: RESOLVED FIXED    
Severity: normal CC: sebastian.feldmann
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
URL: http://www.pdfill.com/example/pdf_commenting_new.pdf
Customer: Word Size: ---

Description Sebastian Rasmussen 2017-12-19 14:56:34 UTC 
When attempting to render http://www.pdfill.com/example/pdf_commenting_new.pdf using "mutool draw -s t pdf_commenting_new.pdf 4" this triggers an ASAN complaint as quoted below. Valgrind complains similarly.

==19307==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000238 at pc 0x563d4a2aa49d bp 0x7ffea6c773e0 sp 0x7ffea6c773d8
READ of size 1 at 0x613000000238 thread T0
    #0 0x563d4a2aa49c in fz_colorspace_n source/fitz/colorspace.c:3606
    #1 0x563d4a345d2f in fz_append_display_node source/fitz/list-device.c:403
    #2 0x563d4a349117 in fz_list_fill_text source/fitz/list-device.c:765
    #3 0x563d4a2b3088 in fz_fill_text source/fitz/device.c:210
    #4 0x563d4a431024 in pdf_update_free_text_annot_appearance source/pdf/pdf-appearance.c:2214
    #5 0x563d4a434513 in pdf_update_appearance source/pdf/pdf-appearance.c:2519
    #6 0x563d4a418363 in pdf_load_annots source/pdf/pdf-annot.c:473
    #7 0x563d4a48e635 in pdf_load_page source/pdf/pdf-page.c:1083
    #8 0x563d4a2b6f0f in fz_load_page source/fitz/document.c:313
    #9 0x563d4a244a33 in drawpage source/tools/mudraw.c:1044
    #10 0x563d4a24618e in drawrange source/tools/mudraw.c:1209
    #11 0x563d4a24a2eb in mudraw_main source/tools/mudraw.c:1921
    #12 0x563d4a23d820 in main source/tools/mutool.c:127
    #13 0x7f5e740cb560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #14 0x563d4a23d039 in _start (/home/user/src/mupdf/build/sanitize/mutool+0x154039)

0x613000000238 is located 56 bytes inside of 368-byte region [0x613000000200,0x613000000370)
freed by thread T0 here:
    #0 0x7f5e74a588c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x563d4a37fd96 in fz_free_default source/fitz/memory.c:239
    #2 0x563d4a37fc68 in fz_free source/fitz/memory.c:201
    #3 0x563d4a290d08 in fz_drop_colorspace_imp source/fitz/colorspace.c:147
    #4 0x563d4a3e2c0f in fz_drop_key_storable source/fitz/store.c:218
    #5 0x563d4a2911c5 in fz_drop_colorspace source/fitz/colorspace.c:191
    #6 0x563d4a431318 in pdf_update_free_text_annot_appearance source/pdf/pdf-appearance.c:2226
    #7 0x563d4a434513 in pdf_update_appearance source/pdf/pdf-appearance.c:2519
    #8 0x563d4a418363 in pdf_load_annots source/pdf/pdf-annot.c:473
    #9 0x563d4a48e635 in pdf_load_page source/pdf/pdf-page.c:1083
    #10 0x563d4a2b6f0f in fz_load_page source/fitz/document.c:313
    #11 0x563d4a244a33 in drawpage source/tools/mudraw.c:1044
    #12 0x563d4a24618e in drawrange source/tools/mudraw.c:1209
    #13 0x563d4a24a2eb in mudraw_main source/tools/mudraw.c:1921
    #14 0x563d4a23d820 in main source/tools/mutool.c:127
    #15 0x7f5e740cb560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)

previously allocated by thread T0 here:
    #0 0x7f5e74a58c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x563d4a37fd4f in fz_malloc_default source/fitz/memory.c:227
    #2 0x563d4a37ef0f in do_scavenging_malloc source/fitz/memory.c:22
    #3 0x563d4a37f60d in fz_calloc source/fitz/memory.c:124
    #4 0x563d4a290e6d in fz_new_colorspace source/fitz/colorspace.c:162
    #5 0x563d4a2aaf5f in fz_new_icc_colorspace source/fitz/colorspace.c:3709
    #6 0x563d4a295756 in fz_set_cmm_engine source/fitz/colorspace.c:755
    #7 0x563d4a29593a in fz_new_colorspace_context source/fitz/colorspace.c:773
    #8 0x563d4a2ae647 in fz_new_context_imp source/fitz/context.c:247
    #9 0x563d4a24868f in mudraw_main source/tools/mudraw.c:1591
    #10 0x563d4a23d820 in main source/tools/mutool.c:127
    #11 0x7f5e740cb560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
Comment 1 Sebastian Rasmussen 2017-12-19 14:59:24 UTC 
A proposed patch to resolve this is available in 321ba1de287016b0036bf4a56ce774ad11763384.
Comment 2 Sebastian Rasmussen 2017-12-20 05:33:57 UTC 
Fixed in

commit 321ba1de287016b0036bf4a56ce774ad11763384
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Dec 19 23:47:47 2017 +0100

    Bug 698825: Do not drop borrowed colorspaces.
    
    Previously the borrowed colorspace was dropped when updating annotation
    appearances, leading to use after free warnings from valgrind/ASAN.
Comment 3 Sebastian Rasmussen 2018-01-29 11:44:36 UTC 
*** Bug 698873 has been marked as a duplicate of this bug. ***