Bug 698883

Summary: oss-fuzz 5492: ASAN claims use after free in add_range()
Product: MuPDF Reporter: Sebastian Rasmussen <sebastian.rasmussen>
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Minimized PDF from oss-fuzz.

Description Sebastian Rasmussen 2018-01-22 06:15:43 UTC
Created attachment 14615 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz-5492.pdf

causes

error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring invalid character in hex string
warning: bf_range limits out of range in cmap pdfapi2-MyReCBH~1380294183+0
warning: ignoring invalid character in hex string
=================================================================
==5778==ERROR: AddressSanitizer: heap-use-after-free on address 0x623000006ce8 at pc 0x55714f622a37 bp 0x7ffc8413d6a0 sp 0x7ffc8413d698
READ of size 4 at 0x623000006ce8 thread T0
    #0 0x55714f622a36 in add_range source/pdf/pdf-cmap.c:526
    #1 0x55714f623def in pdf_map_range_to_range source/pdf/pdf-cmap.c:646
    #2 0x55714f61cab3 in pdf_parse_bf_range source/pdf/pdf-cmap-parse.c:205
    #3 0x55714f61d7b3 in pdf_load_cmap source/pdf/pdf-cmap-parse.c:325
    #4 0x55714f61af1d in pdf_load_embedded_cmap source/pdf/pdf-cmap-load.c:39
    #5 0x55714f5350fd in pdf_load_to_unicode source/pdf/pdf-unicode.c:77
    #6 0x55714f4e116d in load_cid_font source/pdf/pdf-font.c:1135
    #7 0x55714f4e2016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #8 0x55714f4e35e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #9 0x55714f638f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #10 0x55714f63f5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #11 0x55714f642cdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #12 0x55714f64368b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #13 0x55714f52cf89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #14 0x55714f52d432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #15 0x55714f3456c6 in fz_run_page_contents source/fitz/document.c:368
    #16 0x55714f345988 in fz_run_page source/fitz/document.c:400
    #17 0x55714f2d344a in drawpage source/tools/mudraw.c:1091
    #18 0x55714f2d45d7 in drawrange source/tools/mudraw.c:1209
    #19 0x55714f2d85c4 in mudraw_main source/tools/mudraw.c:1919
    #20 0x55714f2cbc70 in main source/tools/mutool.c:127
    #21 0x7fec6030af29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #22 0x55714f2cb489 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x153489)

0x623000006ce8 is located 6120 bytes inside of 6144-byte region [0x623000005500,0x623000006d00)
freed by thread T0 here:
    #0 0x7fec60ce2fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x55714f40e8c1 in fz_realloc_default source/fitz/memory.c:233
    #2 0x55714f40dc92 in do_scavenging_realloc source/fitz/memory.c:42
    #3 0x55714f40e49f in fz_resize_array source/fitz/memory.c:171
    #4 0x55714f6233c6 in add_range source/pdf/pdf-cmap.c:586
    #5 0x55714f6229da in add_range source/pdf/pdf-cmap.c:523
    #6 0x55714f623def in pdf_map_range_to_range source/pdf/pdf-cmap.c:646
    #7 0x55714f61cab3 in pdf_parse_bf_range source/pdf/pdf-cmap-parse.c:205
    #8 0x55714f61d7b3 in pdf_load_cmap source/pdf/pdf-cmap-parse.c:325
    #9 0x55714f61af1d in pdf_load_embedded_cmap source/pdf/pdf-cmap-load.c:39
    #10 0x55714f5350fd in pdf_load_to_unicode source/pdf/pdf-unicode.c:77
    #11 0x55714f4e116d in load_cid_font source/pdf/pdf-font.c:1135
    #12 0x55714f4e2016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #13 0x55714f4e35e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #14 0x55714f638f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #15 0x55714f63f5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #16 0x55714f642cdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #17 0x55714f64368b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #18 0x55714f52cf89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #19 0x55714f52d432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #20 0x55714f3456c6 in fz_run_page_contents source/fitz/document.c:368
    #21 0x55714f345988 in fz_run_page source/fitz/document.c:400
    #22 0x55714f2d344a in drawpage source/tools/mudraw.c:1091
    #23 0x55714f2d45d7 in drawrange source/tools/mudraw.c:1209
    #24 0x55714f2d85c4 in mudraw_main source/tools/mudraw.c:1919
    #25 0x55714f2cbc70 in main source/tools/mutool.c:127
    #26 0x7fec6030af29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7fec60ce2fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x55714f40e8c1 in fz_realloc_default source/fitz/memory.c:233
    #2 0x55714f40dc92 in do_scavenging_realloc source/fitz/memory.c:42
    #3 0x55714f40e49f in fz_resize_array source/fitz/memory.c:171
    #4 0x55714f6233c6 in add_range source/pdf/pdf-cmap.c:586
    #5 0x55714f623def in pdf_map_range_to_range source/pdf/pdf-cmap.c:646
    #6 0x55714f61cab3 in pdf_parse_bf_range source/pdf/pdf-cmap-parse.c:205
    #7 0x55714f61d7b3 in pdf_load_cmap source/pdf/pdf-cmap-parse.c:325
    #8 0x55714f61af1d in pdf_load_embedded_cmap source/pdf/pdf-cmap-load.c:39
    #9 0x55714f5350fd in pdf_load_to_unicode source/pdf/pdf-unicode.c:77
    #10 0x55714f4e116d in load_cid_font source/pdf/pdf-font.c:1135
    #11 0x55714f4e2016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #12 0x55714f4e35e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #13 0x55714f638f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #14 0x55714f63f5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #15 0x55714f642cdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #16 0x55714f64368b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #17 0x55714f52cf89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #18 0x55714f52d432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #19 0x55714f3456c6 in fz_run_page_contents source/fitz/document.c:368
    #20 0x55714f345988 in fz_run_page source/fitz/document.c:400
    #21 0x55714f2d344a in drawpage source/tools/mudraw.c:1091
    #22 0x55714f2d45d7 in drawrange source/tools/mudraw.c:1209
    #23 0x55714f2d85c4 in mudraw_main source/tools/mudraw.c:1919
    #24 0x55714f2cbc70 in main source/tools/mutool.c:127
    #25 0x7fec6030af29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/pdf/pdf-cmap.c:526 in add_range
Shadow bytes around the buggy address:
  0x0c467fff8d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c467fff8d90: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c467fff8da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5778==ABORTING
Comment 1 Sebastian Rasmussen 2018-01-23 14:05:39 UTC
A tentative patch is available in commit 808548c4b11bde57d639ed59b104fde718a4ab28.
Comment 2 Sebastian Rasmussen 2018-01-26 09:07:57 UTC
Fixed in

commit f597300439e62f5e921f0d7b1e880b5c1a1f1607
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Jan 23 23:02:16 2018 +0100

    Bug 698883: Reset cmap splay tree pointer, handling resized tree.
    
    Without this change a resized cmap splay tree leads to using stale pointers.
Comment 3 Sebastian Rasmussen 2018-02-01 12:54:03 UTC
*** Bug 698884 has been marked as a duplicate of this bug. ***