Bug 698892

Summary: oss-fuzz 5521: Claimed use-after-free of colorspace
Product: MuPDF Reporter: Sebastian Rasmussen <sebastian.rasmussen>
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Minimized PDF from oss-fuzz.

Description Sebastian Rasmussen 2018-01-22 07:38:08 UTC
Created attachment 14623 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz-5521.pdf

causes

error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring invalid character in hex string
warning: ... repeated 18 times ...
warning: object missing 'endobj' token
error: pdf object stream missing (9 0 R)
error: unknown keyword: 'eam'
error: syntax error in content stream
error: syntax error in content stream
error: syntax error in content stream
error: syntax error in content stream
error: pdf object stream missing (9 0 R)
error: syntax error in content stream
warning: invalid indirect reference in dict
error: syntax error in content stream
page ./oss-fuzz-5521.pdf 1=================================================================
==9996==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000040 at pc 0x55c4d15fe83e bp 0x7ffebc4dfbe0 sp 0x7ffebc4dfbd8
READ of size 4 at 0x613000000040 thread T0
    #0 0x55c4d15fe83d in fz_keep_imp source/fitz/fitz-imp.h:135
    #1 0x55c4d15fecb2 in fz_keep_storable source/fitz/store.c:74
    #2 0x55c4d15fed4a in fz_keep_key_storable source/fitz/store.c:97
    #3 0x55c4d14ace50 in fz_keep_colorspace source/fitz/colorspace.c:276
    #4 0x55c4d15695a1 in fz_run_display_list source/fitz/list-device.c:1477
    #5 0x55c4d145b09d in drawband source/tools/mudraw.c:487
    #6 0x55c4d145eec1 in dodrawpage source/tools/mudraw.c:887
    #7 0x55c4d1461250 in drawpage source/tools/mudraw.c:1180
    #8 0x55c4d1461797 in drawrange source/tools/mudraw.c:1209
    #9 0x55c4d1465784 in mudraw_main source/tools/mudraw.c:1919
    #10 0x55c4d1458e30 in main source/tools/mutool.c:130
    #11 0x7f015b334f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #12 0x55c4d1458649 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x153649)

0x613000000040 is located 0 bytes inside of 376-byte region [0x613000000040,0x6130000001b8)
freed by thread T0 here:
    #0 0x7f015bd0c8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x55c4d159c239 in fz_free_default source/fitz/memory.c:239
    #2 0x55c4d159c10b in fz_free source/fitz/memory.c:201
    #3 0x55c4d14ac982 in fz_drop_colorspace_imp source/fitz/colorspace.c:229
    #4 0x55c4d15ffac5 in fz_drop_key_storable source/fitz/store.c:218
    #5 0x55c4d14ace75 in fz_drop_colorspace source/fitz/colorspace.c:282
    #6 0x55c4d17ea8e3 in pdf_drop_material source/pdf/pdf-op-run.c:238
    #7 0x55c4d17fb256 in pdf_drop_run_processor source/pdf/pdf-op-run.c:2026
    #8 0x55c4d17c64f5 in pdf_drop_processor source/pdf/pdf-interpret.c:35
    #9 0x55c4d16baa82 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:90
    #10 0x55c4d16bad8c in pdf_run_page_contents source/pdf/pdf-run.c:110
    #11 0x55c4d14d3020 in fz_run_page_contents source/fitz/document.c:368
    #12 0x55c4d14d32e2 in fz_run_page source/fitz/document.c:400
    #13 0x55c4d146060a in drawpage source/tools/mudraw.c:1091
    #14 0x55c4d1461797 in drawrange source/tools/mudraw.c:1209
    #15 0x55c4d1465784 in mudraw_main source/tools/mudraw.c:1919
    #16 0x55c4d1458e30 in main source/tools/mutool.c:130
    #17 0x7f015b334f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7f015bd0cc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x55c4d159c1f2 in fz_malloc_default source/fitz/memory.c:227
    #2 0x55c4d159b3b2 in do_scavenging_malloc source/fitz/memory.c:22
    #3 0x55c4d159bab0 in fz_calloc source/fitz/memory.c:124
    #4 0x55c4d14acae3 in fz_new_colorspace source/fitz/colorspace.c:252
    #5 0x55c4d14c6ab4 in fz_new_icc_colorspace source/fitz/colorspace.c:3805
    #6 0x55c4d14b1342 in fz_set_cmm_engine source/fitz/colorspace.c:841
    #7 0x55c4d14b1573 in fz_new_colorspace_context source/fitz/colorspace.c:860
    #8 0x55c4d14ca1bd in fz_new_context_imp source/fitz/context.c:264
    #9 0x55c4d1463c98 in mudraw_main source/tools/mudraw.c:1591
    #10 0x55c4d1458e30 in main source/tools/mutool.c:130
    #11 0x7f015b334f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/fitz-imp.h:135 in fz_keep_imp
Shadow bytes around the buggy address:
  0x0c267fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff8000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c267fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9996==ABORTING
Comment 1 Sebastian Rasmussen 2018-02-01 16:00:04 UTC
After analyzing this issue it was revealed that the underlying cause is the same as in 698891.

*** This bug has been marked as a duplicate of bug 698891 ***