Summary: | oss-fuzz 6010: Null-dereference READ in fz_paint_pixmap_with_mask | ||
---|---|---|---|
Product: | MuPDF | Reporter: | Sebastian Rasmussen <sebastian.rasmussen> |
Component: | mupdf | Assignee: | MuPDF bugs <mupdf-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P4 | ||
Version: | unspecified | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- | |
Attachments: |
Minimized PDF from oss-fuzz.
Minimized PDF from oss-fuzz. |
Created attachment 15545 [details]
Minimized PDF from oss-fuzz.
Another, related issue resulting in an assert
build/sanitize/mutool draw -D -s t oss-fuzz-8018.pdf
error: cannot recognize version marker
warning: trying to repair broken xref
warning: repairing PDF document
warning: object missing 'endobj' token
warning: ... repeated 4 times ...
warning: invalid indirect reference in dict
warning: expected 'endobj' or 'stream' keyword (2 0 R)
warning: invalid indirect reference in dict
warning: expected 'endobj' or 'stream' keyword (6 0 R)
warning: expected 'endobj' or 'stream' keyword (9 0 R)
warning: expected 'endobj' or 'stream' keyword (17 0 R)
error: syntax error in object (29 0 R)
warning: ignoring broken object (29 0 R)
warning: expected 'endobj' or 'stream' keyword (30 0 R)
warning: non-page object in page tree ()
page oss-fuzz-8018.pdf 1warning: premature end of data in flate filter
[...]
error: unknown keyword: 'l76'
error: unknown keyword: 'l7h76'
error: unknown keyword: 'n76'
error: unknown keyword: 'n76'
error: syntax error in content stream
error: unknown keyword: 'l7'
warning: premature end of data in flate filter
mutool: source/fitz/draw-device.c:2439: fz_draw_end_group: Assertion `state[0].dest != state[1].dest' failed.
Aborted
Fixed in commit 985fdcfc117a3bd4bc097cdcae8347b3787fbab2 Author: Sebastian Rasmussen <sebras@gmail.com> Date: Wed Aug 22 22:39:56 2018 +0800 Bug 699695: Remember to end groups/softmasks even upon exception. fz_fill_path() may throw an exception halfway through pdf_show_path(), which in this case would not attempt to end any begun groups or softmasks. This led to e.g. leaks of pixmaps held by a group that was never ended. Moving the cleanup to the always block is not foolproof because the cleanup code itself may also throw exceptions, hence preventing the end of the fz_always block from being executed. This commit does put pdf_show_path() in the same situation as pdf_run_xobject() that has the same problem with its cleanup code. Thanks to oss-fuzz for reporting. |
Created attachment 15544 [details] Minimized PDF from oss-fuzz. Running build/sanitize/mutool draw -D -s t oss-fuzz-6010.pdf results in error: cannot find startxref warning: trying to repair broken xref warning: repairing PDF document error: invalid key in dict error: invalid key in dict warning: object missing 'endobj' token error: invalid key in dict warning: ignoring broken object (6 0 R) error: invalid key in dict warning: ignoring broken object (29 0 R) warning: expected 'endobj' or 'stream' keyword (43 0 R) warning: expected 'endobj' or 'stream' keyword (44 0 R) error: cannot create appearance stream warning: cannot create appearance stream error: cannot create appearance stream warning: cannot create appearance stream error: cannot create appearance stream warning: cannot create appearance stream error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache page oss-fuzz-6010.pdf 1error: invalid key in dict warning: cannot load object (6 0 R) into cache error: zlib error: invalid distance too far back warning: read error; treating as end of file error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache error: invalid key in dict warning: cannot load object (6 0 R) into cache warning: ignoring zlib error: incorrect data check warning: ... repeated 3 times ... warning: lcms error: Couldn't link the profiles error: cmsCreateTransform failed warning: unrecoverable error; ignoring rest of page warning: items left on stack in draw device: 1 7ms total 7ms / 1 pages for an average of 7ms fastest page 1: 7ms slowest page 1: 7ms ================================================================= ==13151==ERROR: LeakSanitizer: detected memory leaks Direct leak of 88 byte(s) in 1 object(s) allocated from: #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0) #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221 #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23 #3 0x558e3e3960f1 in fz_calloc source/fitz/memory.c:125 #4 0x558e3e3c82cc in fz_new_pixmap_with_data source/fitz/pixmap.c:49 #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102 #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109 #7 0x558e3e2e509c in fz_draw_begin_group source/fitz/draw-device.c:2318 #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413 #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183 #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638 #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649 #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625 #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937 #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031 #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301 #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997 #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081 #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37 #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155 #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392 #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427 #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487 #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883 #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177 #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206 #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916 #27 0x558e3e24761b in main source/tools/mutool.c:132 #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) Direct leak of 88 byte(s) in 1 object(s) allocated from: #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0) #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221 #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23 #3 0x558e3e3960f1 in fz_calloc source/fitz/memory.c:125 #4 0x558e3e3c82cc in fz_new_pixmap_with_data source/fitz/pixmap.c:49 #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102 #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109 #7 0x558e3e2e4f37 in fz_draw_begin_group source/fitz/draw-device.c:2308 #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413 #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183 #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638 #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649 #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625 #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937 #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031 #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301 #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997 #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081 #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37 #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155 #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392 #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427 #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487 #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883 #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177 #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206 #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916 #27 0x558e3e24761b in main source/tools/mutool.c:132 #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) Indirect leak of 6480 byte(s) in 1 object(s) allocated from: #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0) #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221 #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23 #3 0x558e3e395e2a in fz_malloc_array source/fitz/memory.c:89 #4 0x558e3e3c88ea in fz_new_pixmap_with_data source/fitz/pixmap.c:81 #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102 #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109 #7 0x558e3e2e4f37 in fz_draw_begin_group source/fitz/draw-device.c:2308 #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413 #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183 #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638 #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649 #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625 #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937 #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031 #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301 #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997 #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081 #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37 #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155 #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392 #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427 #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487 #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883 #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177 #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206 #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916 #27 0x558e3e24761b in main source/tools/mutool.c:132 #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) Indirect leak of 2160 byte(s) in 1 object(s) allocated from: #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0) #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221 #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23 #3 0x558e3e395e2a in fz_malloc_array source/fitz/memory.c:89 #4 0x558e3e3c88ea in fz_new_pixmap_with_data source/fitz/pixmap.c:81 #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102 #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109 #7 0x558e3e2e509c in fz_draw_begin_group source/fitz/draw-device.c:2318 #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413 #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183 #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638 #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649 #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625 #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937 #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031 #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301 #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997 #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081 #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37 #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155 #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392 #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427 #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487 #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883 #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177 #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206 #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916 #27 0x558e3e24761b in main source/tools/mutool.c:132 #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) SUMMARY: AddressSanitizer: 8816 byte(s) leaked in 4 allocation(s).