Bug 698904

Summary: oss-fuzz 5609: Claimed use-of-uninitialized value in fz_drop_hash_table()
Product: MuPDF Reporter: Sebastian Rasmussen <sebastian.rasmussen>
Component: mupdfAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Minimzed PDF from oss-fuzz.

Description Sebastian Rasmussen 2018-01-23 15:25:53 UTC
Created attachment 14634 [details]
Minimzed PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz/5609.pdf

leads to

error: cannot recognize version marker
warning: trying to repair broken xref
warning: repairing PDF document
warning: object missing 'endobj' token
warning: ... repeated 3 times ...
warning: expected 'endobj' or 'stream' keyword (1 0 R)
warning: expected 'endobj' or 'stream' keyword (2 0 R)
warning: expected 'endobj' or 'stream' keyword (4 0 R)
warning: expected 'endobj' or 'stream' keyword (6 0 R)
warning: expected 'endobj' or 'stream' keyword (7 0 R)
warning: expected 'endobj' or 'stream' keyword (9 0 R)
warning: expected 'endobj' or 'stream' keyword (14 0 R)
warning: expected 'endobj' or 'stream' keyword (17 0 R)
warning: non-page object in page tree ()
warning: non-positive sample function dimension size
warning: unknown font format, guessing type1 or truetype.
error: unknown keyword: 'ends'
page ./oss-fuzz/5609.pdf 1warning: lcms error: Wrong output color space on transform
error: cmsCreateTransform failed
=================================================================
==17330==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000718 at pc 0x563913143a4d bp 0x7ffdde9f9fc0 sp 0x7ffdde9f9fb8
READ of size 8 at 0x606000000718 thread T0
    #0 0x563913143a4c in fz_fin_cached_color_converter source/fitz/colorspace.c:3679
    #1 0x5639131815ba in fz_paint_shade source/fitz/draw-mesh.c:353
    #2 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #3 0x56391314d36c in fz_fill_shade source/fitz/device.c:320
    #4 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727
    #5 0x5639130d935d in drawband source/tools/mudraw.c:487
    #6 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887
    #7 0x5639130df510 in drawpage source/tools/mudraw.c:1180
    #8 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209
    #9 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919
    #10 0x5639130d70f0 in main source/tools/mutool.c:127
    #11 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #12 0x5639130d6909 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x155909)

0x606000000718 is located 56 bytes inside of 64-byte region [0x6060000006e0,0x606000000720)
freed by thread T0 here:
    #0 0x7f7e361808c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x563913219d55 in fz_free_default source/fitz/memory.c:239
    #2 0x563913219c27 in fz_free source/fitz/memory.c:201
    #3 0x56391314398b in fz_init_cached_color_converter source/fitz/colorspace.c:3665
    #4 0x56391317fd7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #5 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #6 0x56391314d36c in fz_fill_shade source/fitz/device.c:320
    #7 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727
    #8 0x5639130d935d in drawband source/tools/mudraw.c:487
    #9 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887
    #10 0x5639130df510 in drawpage source/tools/mudraw.c:1180
    #11 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209
    #12 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919
    #13 0x5639130d70f0 in main source/tools/mutool.c:127
    #14 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7f7e36180c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x563913219d0e in fz_malloc_default source/fitz/memory.c:227
    #2 0x563913218ece in do_scavenging_malloc source/fitz/memory.c:22
    #3 0x5639132195cc in fz_calloc source/fitz/memory.c:124
    #4 0x563913143663 in fz_init_cached_color_converter source/fitz/colorspace.c:3648
    #5 0x56391317fd7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #6 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #7 0x56391314d36c in fz_fill_shade source/fitz/device.c:320
    #8 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727
    #9 0x5639130d935d in drawband source/tools/mudraw.c:487
    #10 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887
    #11 0x5639130df510 in drawpage source/tools/mudraw.c:1180
    #12 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209
    #13 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919
    #14 0x5639130d70f0 in main source/tools/mutool.c:127
    #15 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/colorspace.c:3679 in fz_fin_cached_color_converter
Shadow bytes around the buggy address:
  0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff80b0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff80c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff80d0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff80e0: fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17330==ABORTING
Comment 1 Sebastian Rasmussen 2018-01-23 16:22:42 UTC
I have a set of tentative patches awaiting review in commits bfc8340544d32fc819d681bf1cec68abb415985d and b950cd1b35ebb0fc87c6692628880f18e9b2240e.
Comment 2 Sebastian Rasmussen 2018-01-26 09:08:46 UTC
Fixed in commits

commit 8fdad62ddb46f8798643e9b1a564a2af8b12411d
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Wed Jan 24 00:59:35 2018 +0100

    Bug 698904: Drop pixmap only once upon error when painting shades.
    
    If fz_new_pixmap_with_bbox() threw conv would be NULL and temp would
    be pointing to a pixmap that would be dropped 2 times.
    
    If fz_clone_pixmap_area_with_different_seps() threw temp and conv
    would be pointing to the same pixmap that would be dropped 3 times.


commit 83d4dae44c71816c084a635550acc1a51529b881
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Jan 23 16:43:59 2018 +0100

    Bug 698904: Upon error both free color converter and clear its pointer.
    
    Without this change future calls to fz_fin_cached_color_converter()
    will try to dereference the already freed pointer.