Bug 701292

Summary: heap-buffer-overflow at fz_chartorune in fitz/string.c:388:6
Product: MuPDF Reporter: Suhwan <prada960808>
Component: fuzzingAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: major    
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: file which triggers heap buffer overflow

Description Suhwan 2019-07-08 06:10:16 UTC
Created attachment 17818 [details]
file which triggers heap buffer overflow

There's a heap-buffer-overflow at fz_chartorune in fitz/string.c:388:6 

please run following command to reproduce ( input file : 1.pdf )

mutool clean -s 1.pdf tmp_clean.pdf

Here's ASAN Log

==17437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005cef at pc 0x0000007dee2c bp 0x7ffe5ce0d010 sp 0x7ffe5ce0d008
READ of size 1 at 0x602000005cef thread T0
    #0 0x7dee2b in fz_chartorune mupdf/source/fitz/string.c:388:6
    #1 0xb4ae76 in walk_string mupdf/source/pdf/pdf-op-filter.c:557:11
    #2 0xb4ae76 in mcid_char_imp mupdf/source/pdf/pdf-op-filter.c:612
    #3 0xb49d2e in mcid_char mupdf/source/pdf/pdf-op-filter.c:650:3
    #4 0xb49d2e in filter_string_to_segment mupdf/source/pdf/pdf-op-filter.c:706
    #5 0xb487df in filter_show_string mupdf/source/pdf/pdf-op-filter.c:779:3
    #6 0xb1b51e in pdf_process_keyword mupdf/source/pdf/pdf-interpret.c
    #7 0xb14365 in pdf_process_stream mupdf/source/pdf/pdf-interpret.c:931:6
    #8 0xb12db2 in pdf_process_contents mupdf/source/pdf/pdf-interpret.c:1026:3
    #9 0xae304e in pdf_filter_page_contents mupdf/source/pdf/pdf-clean.c:221:4
    #10 0xae2939 in pdf_clean_page_contents mupdf/source/pdf/pdf-clean.c:169:2
    #11 0x91002d in clean_content_streams mupdf/source/pdf/pdf-write.c:2883:4
    #12 0x90468f in prepare_for_save mupdf/source/pdf/pdf-write.c:3108:3
    #13 0x90ea59 in pdf_save_document mupdf/source/pdf/pdf-write.c:3521:2
    #14 0x8453a8 in pdf_clean_file mupdf/source/pdf/pdf-clean-file.c:334:3
    #15 0x53640f in pdfclean_main mupdf/source/tools/pdfclean.c:117:3
    #16 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12
    #17 0x7f2176234b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #18 0x41c019 in _start (mupdf/mutool+0x41c019)

0x602000005cef is located 1 bytes to the left of 1-byte region [0x602000005cf0,0x602000005cf1)
allocated by thread T0 here:
    #0 0x4a8b40 in malloc opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:145
    #1 0x70e69b in do_scavenging_malloc mupdf/source/fitz/memory.c:30:7
    #2 0x70e69b in fz_malloc mupdf/source/fitz/memory.c:68
    #3 0x8e7335 in pdf_new_utf8_from_pdf_string mupdf/source/pdf/pdf-parse.c
    #4 0x8ea236 in pdf_new_utf8_from_pdf_string_obj mupdf/source/pdf/pdf-parse.c:259:9
    #5 0xb3d245 in pdf_filter_BDC mupdf/source/pdf/pdf-op-filter.c:1716:18
    #6 0xb1c5f3 in pdf_process_BDC mupdf/source/pdf/pdf-interpret.c:487:3
    #7 0xb1c5f3 in pdf_process_keyword mupdf/source/pdf/pdf-interpret.c:762
    #8 0xb14365 in pdf_process_stream mupdf/source/pdf/pdf-interpret.c:931:6
    #9 0xb12db2 in pdf_process_contents mupdf/source/pdf/pdf-interpret.c:1026:3
    #10 0xae304e in pdf_filter_page_contents mupdf/source/pdf/pdf-clean.c:221:4
    #11 0xae2939 in pdf_clean_page_contents mupdf/source/pdf/pdf-clean.c:169:2
    #12 0x91002d in clean_content_streams mupdf/source/pdf/pdf-write.c:2883:4
    #13 0x90468f in prepare_for_save mupdf/source/pdf/pdf-write.c:3108:3
    #14 0x90ea59 in pdf_save_document mupdf/source/pdf/pdf-write.c:3521:2
    #15 0x8453a8 in pdf_clean_file mupdf/source/pdf/pdf-clean-file.c:334:3
    #16 0x53640f in pdfclean_main mupdf/source/tools/pdfclean.c:117:3
    #17 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12
    #18 0x7f2176234b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow mupdf/source/fitz/string.c:388:6 in fz_chartorune
Shadow bytes around the buggy address:
  0x0c047fff8b40: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 07 fa
  0x0c047fff8b50: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 07 fa
  0x0c047fff8b60: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 00 00
  0x0c047fff8b70: fa fa 07 fa fa fa 00 01 fa fa 00 fa fa fa 07 fa
  0x0c047fff8b80: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 07 fa
=>0x0c047fff8b90: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa[fa]01 fa
  0x0c047fff8ba0: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8bb0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8bc0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8bd0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8be0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==17437==ABORTING
Comment 1 Tor Andersson 2019-07-26 18:12:26 UTC
commit 97096297d409ec6f206298444ba00719607e8ba8
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Thu Jul 25 12:10:01 2019 +0200

    Bug 701292: Fix test for missing/empty string.