Bug 698884

Summary: oss-fuzz 5494: ASAN claims stack buffer overflow
Product: MuPDF Reporter: Sebastian Rasmussen <sebastian.rasmussen>
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Minimized PDF from oss-fuzz.

Description Sebastian Rasmussen 2018-01-22 06:17:23 UTC
Created attachment 14616 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz-5494.pdf

causes

error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
warning: object missing 'endobj' token
warning: ignoring invalid character in hex string
warning: ... repeated 4 times ...
warning: bf_range limits out of range in cmap pdfapi2-MyReCBH~1380294183+0
warning: ignoring invalid character in hex string
warning: ... repeated 145 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 43 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 9 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 18 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 3 times ...
error: zlib error: invalid distance too far back
warning: read error; treating as end of file
=================================================================
==5807==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd78f41c0 at pc 0x5606bdc11dd4 bp 0x7fffd78f40c0 sp 0x7fffd78f40b8
WRITE of size 4 at 0x7fffd78f41c0 thread T0
    #0 0x5606bdc11dd3 in pdf_lookup_cmap_full source/pdf/pdf-cmap.c:845
    #1 0x5606bdb20a05 in pdf_remap_cmap_range source/pdf/pdf-unicode.c:18
    #2 0x5606bdb20dcc in pdf_remap_cmap source/pdf/pdf-unicode.c:45
    #3 0x5606bdb21141 in pdf_load_to_unicode source/pdf/pdf-unicode.c:78
    #4 0x5606bdacd16d in load_cid_font source/pdf/pdf-font.c:1135
    #5 0x5606bdace016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #6 0x5606bdacf5e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #7 0x5606bdc24f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #8 0x5606bdc2b5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #9 0x5606bdc2ecdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #10 0x5606bdc2f68b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #11 0x5606bdb18f89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #12 0x5606bdb19432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #13 0x5606bd9316c6 in fz_run_page_contents source/fitz/document.c:368
    #14 0x5606bd931988 in fz_run_page source/fitz/document.c:400
    #15 0x5606bd8bf44a in drawpage source/tools/mudraw.c:1091
    #16 0x5606bd8c05d7 in drawrange source/tools/mudraw.c:1209
    #17 0x5606bd8c45c4 in mudraw_main source/tools/mudraw.c:1919
    #18 0x5606bd8b7c70 in main source/tools/mutool.c:127
    #19 0x7fb0cc157f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #20 0x5606bd8b7489 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x153489)

Address 0x7fffd78f41c0 is located in stack of thread T0 at offset 64 in frame
    #0 0x5606bdb20943 in pdf_remap_cmap_range source/pdf/pdf-unicode.c:11

  This frame has 1 object(s):
    [32, 64) 'ucsbuf' <== Memory access at offset 64 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow source/pdf/pdf-cmap.c:845 in pdf_lookup_cmap_full
Shadow bytes around the buggy address:
  0x10007af167e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af167f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007af16830: f1 f1 f1 f1 00 00 00 00[f3]f3 f3 f3 00 00 00 00
  0x10007af16840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5807==ABORTING
Comment 1 Sebastian Rasmussen 2018-02-01 12:54:03 UTC
A different variation of bug 698883.

*** This bug has been marked as a duplicate of bug 698883 ***