Summary: | oss-fuzz 5609: Claimed use-of-uninitialized value in fz_drop_hash_table() | ||
---|---|---|---|
Product: | MuPDF | Reporter: | Sebastian Rasmussen <sebastian.rasmussen> |
Component: | mupdf | Assignee: | MuPDF bugs <mupdf-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P4 | ||
Version: | unspecified | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- | |
Attachments: | Minimzed PDF from oss-fuzz. |
I have a set of tentative patches awaiting review in commits bfc8340544d32fc819d681bf1cec68abb415985d and b950cd1b35ebb0fc87c6692628880f18e9b2240e. Fixed in commits commit 8fdad62ddb46f8798643e9b1a564a2af8b12411d Author: Sebastian Rasmussen <sebras@gmail.com> Date: Wed Jan 24 00:59:35 2018 +0100 Bug 698904: Drop pixmap only once upon error when painting shades. If fz_new_pixmap_with_bbox() threw conv would be NULL and temp would be pointing to a pixmap that would be dropped 2 times. If fz_clone_pixmap_area_with_different_seps() threw temp and conv would be pointing to the same pixmap that would be dropped 3 times. commit 83d4dae44c71816c084a635550acc1a51529b881 Author: Sebastian Rasmussen <sebras@gmail.com> Date: Tue Jan 23 16:43:59 2018 +0100 Bug 698904: Upon error both free color converter and clear its pointer. Without this change future calls to fz_fin_cached_color_converter() will try to dereference the already freed pointer. |
Created attachment 14634 [details] Minimzed PDF from oss-fuzz. Running build/sanitize/mutool draw -s t ./oss-fuzz/5609.pdf leads to error: cannot recognize version marker warning: trying to repair broken xref warning: repairing PDF document warning: object missing 'endobj' token warning: ... repeated 3 times ... warning: expected 'endobj' or 'stream' keyword (1 0 R) warning: expected 'endobj' or 'stream' keyword (2 0 R) warning: expected 'endobj' or 'stream' keyword (4 0 R) warning: expected 'endobj' or 'stream' keyword (6 0 R) warning: expected 'endobj' or 'stream' keyword (7 0 R) warning: expected 'endobj' or 'stream' keyword (9 0 R) warning: expected 'endobj' or 'stream' keyword (14 0 R) warning: expected 'endobj' or 'stream' keyword (17 0 R) warning: non-page object in page tree () warning: non-positive sample function dimension size warning: unknown font format, guessing type1 or truetype. error: unknown keyword: 'ends' page ./oss-fuzz/5609.pdf 1warning: lcms error: Wrong output color space on transform error: cmsCreateTransform failed ================================================================= ==17330==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000718 at pc 0x563913143a4d bp 0x7ffdde9f9fc0 sp 0x7ffdde9f9fb8 READ of size 8 at 0x606000000718 thread T0 #0 0x563913143a4c in fz_fin_cached_color_converter source/fitz/colorspace.c:3679 #1 0x5639131815ba in fz_paint_shade source/fitz/draw-mesh.c:353 #2 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556 #3 0x56391314d36c in fz_fill_shade source/fitz/device.c:320 #4 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727 #5 0x5639130d935d in drawband source/tools/mudraw.c:487 #6 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887 #7 0x5639130df510 in drawpage source/tools/mudraw.c:1180 #8 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209 #9 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919 #10 0x5639130d70f0 in main source/tools/mutool.c:127 #11 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) #12 0x5639130d6909 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x155909) 0x606000000718 is located 56 bytes inside of 64-byte region [0x6060000006e0,0x606000000720) freed by thread T0 here: #0 0x7f7e361808c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) #1 0x563913219d55 in fz_free_default source/fitz/memory.c:239 #2 0x563913219c27 in fz_free source/fitz/memory.c:201 #3 0x56391314398b in fz_init_cached_color_converter source/fitz/colorspace.c:3665 #4 0x56391317fd7c in fz_paint_shade source/fitz/draw-mesh.c:250 #5 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556 #6 0x56391314d36c in fz_fill_shade source/fitz/device.c:320 #7 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727 #8 0x5639130d935d in drawband source/tools/mudraw.c:487 #9 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887 #10 0x5639130df510 in drawpage source/tools/mudraw.c:1180 #11 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209 #12 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919 #13 0x5639130d70f0 in main source/tools/mutool.c:127 #14 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) previously allocated by thread T0 here: #0 0x7f7e36180c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20) #1 0x563913219d0e in fz_malloc_default source/fitz/memory.c:227 #2 0x563913218ece in do_scavenging_malloc source/fitz/memory.c:22 #3 0x5639132195cc in fz_calloc source/fitz/memory.c:124 #4 0x563913143663 in fz_init_cached_color_converter source/fitz/colorspace.c:3648 #5 0x56391317fd7c in fz_paint_shade source/fitz/draw-mesh.c:250 #6 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556 #7 0x56391314d36c in fz_fill_shade source/fitz/device.c:320 #8 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727 #9 0x5639130d935d in drawband source/tools/mudraw.c:487 #10 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887 #11 0x5639130df510 in drawpage source/tools/mudraw.c:1180 #12 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209 #13 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919 #14 0x5639130d70f0 in main source/tools/mutool.c:127 #15 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/colorspace.c:3679 in fz_fin_cached_color_converter Shadow bytes around the buggy address: 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff80b0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c7fff80c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff80d0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd =>0x0c0c7fff80e0: fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17330==ABORTING