Summary: | heap-use-after-free at mupdf/source/fitz/svg-device.c:507:9 | ||
---|---|---|---|
Product: | MuPDF | Reporter: | Suhwan <prada960808> |
Component: | fuzzing | Assignee: | MuPDF bugs <mupdf-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ghshoals, sebastian.rasmussen |
Priority: | P4 | ||
Version: | master | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- | |
Attachments: | file which triggers heap use after free |
In git-master, this UAF is triggered. Please confirm. Thanks. Env OS: Ubuntu 18.04 64bit Version: commit a1e68d36d007ad8cda480c586b77e1d5af77a495 Steps to reproduce: 1.Download the POC files. 2.Compile the source code with ASan. 3.Execute the following command ./mutool draw -o tmp_.svg -R 832 -r 5 -w 460 -h 22 -W 601 -H 178 -S 47 -G 0.72 $PoC This bug was fixed by commit 8719e07834d6a72b6b4131539e49ed1e8e2ff79e (In reply to theshoals from comment #2) > This bug was fixed by commit 8719e07834d6a72b6b4131539e49ed1e8e2ff79e I agree, this was indeed fixed by the commit below. Moreoever I verified that the issue does not exist on current master commit b6570e41cf24b53a8c98b35da12e0d082705f72b either commit 8719e07834d6a72b6b4131539e49ed1e8e2ff79e Author: Tor Andersson <tor.andersson@artifex.com> Date: Wed Jun 3 18:10:43 2020 +0200 Bug 701295: Fix use of stale pointer after realloc. fz_run_t3_glyph may cause recursion, which means that svg_dev_text_span_as_path_defs needs to be re-entrant at that point. Recalculate the 'fnt' pointer from the sdev->fonts array after calling a function that may trigger an array realloc. |
Created attachment 17820 [details] file which triggers heap use after free Description: There's a heap-use-after-free at mupdf/source/fitz/svg-device.c:507:9 in svg_dev_text_span_as_paths_defs. Step to Reproduce: I ran following command line to trigger this issue. mutool draw -o tmp_.svg -R 832 -r 5 -w 460 -h 22 -W 601 -H 178 -S 47 -G 0.72 221.pdf Here's ASAN log. ==26059==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100002e038 at pc 0x0000007f69af bp 0x7ffd93a92550 sp 0x7ffd93a92548 READ of size 8 at 0x61100002e038 thread T0 #0 0x7f69ae in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:507:9 #1 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10 #2 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4 #3 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5 #4 0x4fc5ce in dodrawpage mupdf/source/tools/mudraw.c:680:5 #5 0x501592 in drawpage mupdf/source/tools/mudraw.c:1165:3 #6 0x4f9c5a in drawrange mupdf/source/tools/mudraw.c:1181:6 #7 0x4f6ba4 in mudraw_main mupdf/source/tools/mudraw.c:1914:7 #8 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12 #9 0x7f1fab30fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #10 0x41c019 in _start (mupdf/mutool+0x41c019) 0x61100002e038 is located 248 bytes inside of 256-byte region [0x61100002df40,0x61100002e040) freed by thread T0 here: #0 0x4a8ed8 in realloc opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:164 #1 0x71364e in do_scavenging_realloc mupdf/source/fitz/memory.c:50:7 #2 0x712a08 in fz_realloc mupdf/source/fitz/memory.c:119:6 #3 0x7f55c8 in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:444:18 #4 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10 #5 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4 #6 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5 #7 0x673cc6 in fz_run_t3_glyph mupdf/source/fitz/font.c:1675:2 #8 0x7f62cd in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:503:5 #9 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10 #10 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4 #11 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5 #12 0x4fc5ce in dodrawpage mupdf/source/tools/mudraw.c:680:5 #13 0x501592 in drawpage mupdf/source/tools/mudraw.c:1165:3 #14 0x4f9c5a in drawrange mupdf/source/tools/mudraw.c:1181:6 #15 0x4f6ba4 in mudraw_main mupdf/source/tools/mudraw.c:1914:7 #16 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12 #17 0x7f1fab30fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 previously allocated by thread T0 here: #0 0x4a8ed8 in realloc opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:164 #1 0x71364e in do_scavenging_realloc mupdf/source/fitz/memory.c:50:7 #2 0x712a08 in fz_realloc mupdf/source/fitz/memory.c:119:6 #3 0x7f55c8 in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:444:18 #4 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10 #5 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4 #6 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5 #7 0x4fc5ce in dodrawpage mupdf/source/tools/mudraw.c:680:5 #8 0x501592 in drawpage mupdf/source/tools/mudraw.c:1165:3 #9 0x4f9c5a in drawrange mupdf/source/tools/mudraw.c:1181:6 #10 0x4f6ba4 in mudraw_main mupdf/source/tools/mudraw.c:1914:7 #11 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12 #12 0x7f1fab30fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-use-after-free mupdf/source/fitz/svg-device.c:507:9 in svg_dev_text_span_as_paths_defs Shadow bytes around the buggy address: 0x0c227fffdbb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fffdbc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffdbd0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c227fffdbe0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fffdbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c227fffdc00: fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa 0x0c227fffdc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffdc20: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c227fffdc30: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fffdc40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffdc50: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==26059==ABORTING system: Ubuntu 18.04LTS CC=clang-7, CXX=clang++-7, build=sanitize