697500 – Null pointer dereference in fz_paint_pixmap_with_mask()

Bug 697500 - Null pointer dereference in fz_paint_pixmap_with_mask()

Summary: Null pointer dereference in fz_paint_pixmap_with_mask()

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	fitz (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-24 12:47 UTC by Kamil Frankowicz
Modified:	2017-02-14 08:22 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
POC to trigger null pointer dereference (mutool) (78.53 KB, application/pdf) 2017-01-24 12:47 UTC, Kamil Frankowicz	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kamil Frankowicz 2017-01-24 12:47:22 UTC

Created attachment 13312 [details]
POC to trigger null pointer dereference (mutool)

After some fuzz testing I found a crashing test case.

Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642

To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null

ASAN:

==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
    #0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
    #1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
    #2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
    #3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
    #4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
    #5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
    #6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
    #7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
    #8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
    #9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
    #10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
    #11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
    #12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
    #13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
    #14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
    #15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
    #16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
    #17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
    #18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
    #19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
    #20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING

Comment 1 Robin Watts 2017-02-14 08:22:36 UTC

Fixed in:

commit 1912de5f08e90af1d9d0a9791f58ba3afdb9d465
Author: Robin Watts <robin.watts@artifex.com>
Date:   Thu Feb 9 15:49:15 2017 +0000

    Bug 697500: Fix NULL ptr access.

    Cope better with errors during rendering - avoid letting the
    gstate stack get out of sync.

    This avoids us ever getting into the situation of popping
    a clip when we should be popping a mask or a group. This was
    causing an unexpected case in the painting.