698883 – oss-fuzz 5492: ASAN claims use after free in add_range()

Bug 698883 - oss-fuzz 5492: ASAN claims use after free in add_range()

Summary: oss-fuzz 5492: ASAN claims use after free in add_range()

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	mupdf (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Duplicates (1):	698884 (view as bug list)
Depends on:
Blocks:

Reported:	2018-01-22 06:15 UTC by Sebastian Rasmussen
Modified:	2019-05-08 13:50 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
Minimized PDF from oss-fuzz. (7.31 KB, application/pdf) 2018-01-22 06:15 UTC, Sebastian Rasmussen	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Rasmussen 2018-01-22 06:15:43 UTC

Created attachment 14615 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz-5492.pdf

causes

error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
warning: ignoring invalid character in hex string
warning: bf_range limits out of range in cmap pdfapi2-MyReCBH~1380294183+0
warning: ignoring invalid character in hex string
=================================================================
==5778==ERROR: AddressSanitizer: heap-use-after-free on address 0x623000006ce8 at pc 0x55714f622a37 bp 0x7ffc8413d6a0 sp 0x7ffc8413d698
READ of size 4 at 0x623000006ce8 thread T0
    #0 0x55714f622a36 in add_range source/pdf/pdf-cmap.c:526
    #1 0x55714f623def in pdf_map_range_to_range source/pdf/pdf-cmap.c:646
    #2 0x55714f61cab3 in pdf_parse_bf_range source/pdf/pdf-cmap-parse.c:205
    #3 0x55714f61d7b3 in pdf_load_cmap source/pdf/pdf-cmap-parse.c:325
    #4 0x55714f61af1d in pdf_load_embedded_cmap source/pdf/pdf-cmap-load.c:39
    #5 0x55714f5350fd in pdf_load_to_unicode source/pdf/pdf-unicode.c:77
    #6 0x55714f4e116d in load_cid_font source/pdf/pdf-font.c:1135
    #7 0x55714f4e2016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #8 0x55714f4e35e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #9 0x55714f638f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #10 0x55714f63f5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #11 0x55714f642cdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #12 0x55714f64368b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #13 0x55714f52cf89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #14 0x55714f52d432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #15 0x55714f3456c6 in fz_run_page_contents source/fitz/document.c:368
    #16 0x55714f345988 in fz_run_page source/fitz/document.c:400
    #17 0x55714f2d344a in drawpage source/tools/mudraw.c:1091
    #18 0x55714f2d45d7 in drawrange source/tools/mudraw.c:1209
    #19 0x55714f2d85c4 in mudraw_main source/tools/mudraw.c:1919
    #20 0x55714f2cbc70 in main source/tools/mutool.c:127
    #21 0x7fec6030af29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #22 0x55714f2cb489 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x153489)

0x623000006ce8 is located 6120 bytes inside of 6144-byte region [0x623000005500,0x623000006d00)
freed by thread T0 here:
    #0 0x7fec60ce2fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x55714f40e8c1 in fz_realloc_default source/fitz/memory.c:233
    #2 0x55714f40dc92 in do_scavenging_realloc source/fitz/memory.c:42
    #3 0x55714f40e49f in fz_resize_array source/fitz/memory.c:171
    #4 0x55714f6233c6 in add_range source/pdf/pdf-cmap.c:586
    #5 0x55714f6229da in add_range source/pdf/pdf-cmap.c:523
    #6 0x55714f623def in pdf_map_range_to_range source/pdf/pdf-cmap.c:646
    #7 0x55714f61cab3 in pdf_parse_bf_range source/pdf/pdf-cmap-parse.c:205
    #8 0x55714f61d7b3 in pdf_load_cmap source/pdf/pdf-cmap-parse.c:325
    #9 0x55714f61af1d in pdf_load_embedded_cmap source/pdf/pdf-cmap-load.c:39
    #10 0x55714f5350fd in pdf_load_to_unicode source/pdf/pdf-unicode.c:77
    #11 0x55714f4e116d in load_cid_font source/pdf/pdf-font.c:1135
    #12 0x55714f4e2016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #13 0x55714f4e35e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #14 0x55714f638f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #15 0x55714f63f5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #16 0x55714f642cdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #17 0x55714f64368b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #18 0x55714f52cf89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #19 0x55714f52d432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #20 0x55714f3456c6 in fz_run_page_contents source/fitz/document.c:368
    #21 0x55714f345988 in fz_run_page source/fitz/document.c:400
    #22 0x55714f2d344a in drawpage source/tools/mudraw.c:1091
    #23 0x55714f2d45d7 in drawrange source/tools/mudraw.c:1209
    #24 0x55714f2d85c4 in mudraw_main source/tools/mudraw.c:1919
    #25 0x55714f2cbc70 in main source/tools/mutool.c:127
    #26 0x7fec6030af29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7fec60ce2fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x55714f40e8c1 in fz_realloc_default source/fitz/memory.c:233
    #2 0x55714f40dc92 in do_scavenging_realloc source/fitz/memory.c:42
    #3 0x55714f40e49f in fz_resize_array source/fitz/memory.c:171
    #4 0x55714f6233c6 in add_range source/pdf/pdf-cmap.c:586
    #5 0x55714f623def in pdf_map_range_to_range source/pdf/pdf-cmap.c:646
    #6 0x55714f61cab3 in pdf_parse_bf_range source/pdf/pdf-cmap-parse.c:205
    #7 0x55714f61d7b3 in pdf_load_cmap source/pdf/pdf-cmap-parse.c:325
    #8 0x55714f61af1d in pdf_load_embedded_cmap source/pdf/pdf-cmap-load.c:39
    #9 0x55714f5350fd in pdf_load_to_unicode source/pdf/pdf-unicode.c:77
    #10 0x55714f4e116d in load_cid_font source/pdf/pdf-font.c:1135
    #11 0x55714f4e2016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #12 0x55714f4e35e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #13 0x55714f638f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #14 0x55714f63f5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #15 0x55714f642cdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #16 0x55714f64368b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #17 0x55714f52cf89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #18 0x55714f52d432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #19 0x55714f3456c6 in fz_run_page_contents source/fitz/document.c:368
    #20 0x55714f345988 in fz_run_page source/fitz/document.c:400
    #21 0x55714f2d344a in drawpage source/tools/mudraw.c:1091
    #22 0x55714f2d45d7 in drawrange source/tools/mudraw.c:1209
    #23 0x55714f2d85c4 in mudraw_main source/tools/mudraw.c:1919
    #24 0x55714f2cbc70 in main source/tools/mutool.c:127
    #25 0x7fec6030af29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/pdf/pdf-cmap.c:526 in add_range
Shadow bytes around the buggy address:
  0x0c467fff8d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c467fff8d90: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c467fff8da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5778==ABORTING

Comment 1 Sebastian Rasmussen 2018-01-23 14:05:39 UTC

A tentative patch is available in commit 808548c4b11bde57d639ed59b104fde718a4ab28.

Comment 2 Sebastian Rasmussen 2018-01-26 09:07:57 UTC

Fixed in

commit f597300439e62f5e921f0d7b1e880b5c1a1f1607
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Jan 23 23:02:16 2018 +0100

    Bug 698883: Reset cmap splay tree pointer, handling resized tree.
    
    Without this change a resized cmap splay tree leads to using stale pointers.

Comment 3 Sebastian Rasmussen 2018-02-01 12:54:03 UTC

*** Bug 698884 has been marked as a duplicate of this bug. ***