Bug 698884 - oss-fuzz 5494: ASAN claims stack buffer overflow
Summary: oss-fuzz 5494: ASAN claims stack buffer overflow
Status: RESOLVED DUPLICATE of bug 698883
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: MuPDF bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-22 06:17 UTC by Sebastian Rasmussen
Modified: 2024-07-11 22:23 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
Minimized PDF from oss-fuzz. (4.36 KB, application/pdf)
2018-01-22 06:17 UTC, Sebastian Rasmussen 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Rasmussen 2018-01-22 06:17:23 UTC 
Created attachment 14616 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz-5494.pdf

causes

error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
warning: object missing 'endobj' token
warning: ignoring invalid character in hex string
warning: ... repeated 4 times ...
warning: bf_range limits out of range in cmap pdfapi2-MyReCBH~1380294183+0
warning: ignoring invalid character in hex string
warning: ... repeated 145 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 43 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 9 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 18 times ...
warning: lexical error (unexpected '>')
warning: ignoring invalid character in hex string
warning: ... repeated 3 times ...
error: zlib error: invalid distance too far back
warning: read error; treating as end of file
=================================================================
==5807==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd78f41c0 at pc 0x5606bdc11dd4 bp 0x7fffd78f40c0 sp 0x7fffd78f40b8
WRITE of size 4 at 0x7fffd78f41c0 thread T0
    #0 0x5606bdc11dd3 in pdf_lookup_cmap_full source/pdf/pdf-cmap.c:845
    #1 0x5606bdb20a05 in pdf_remap_cmap_range source/pdf/pdf-unicode.c:18
    #2 0x5606bdb20dcc in pdf_remap_cmap source/pdf/pdf-unicode.c:45
    #3 0x5606bdb21141 in pdf_load_to_unicode source/pdf/pdf-unicode.c:78
    #4 0x5606bdacd16d in load_cid_font source/pdf/pdf-font.c:1135
    #5 0x5606bdace016 in pdf_load_type0_font source/pdf/pdf-font.c:1270
    #6 0x5606bdacf5e3 in pdf_load_font source/pdf/pdf-font.c:1409
    #7 0x5606bdc24f30 in load_font_or_hail_mary source/pdf/pdf-interpret.c:73
    #8 0x5606bdc2b5a2 in pdf_process_keyword source/pdf/pdf-interpret.c:686
    #9 0x5606bdc2ecdb in pdf_process_stream source/pdf/pdf-interpret.c:963
    #10 0x5606bdc2f68b in pdf_process_contents source/pdf/pdf-interpret.c:1057
    #11 0x5606bdb18f89 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:84
    #12 0x5606bdb19432 in pdf_run_page_contents source/pdf/pdf-run.c:110
    #13 0x5606bd9316c6 in fz_run_page_contents source/fitz/document.c:368
    #14 0x5606bd931988 in fz_run_page source/fitz/document.c:400
    #15 0x5606bd8bf44a in drawpage source/tools/mudraw.c:1091
    #16 0x5606bd8c05d7 in drawrange source/tools/mudraw.c:1209
    #17 0x5606bd8c45c4 in mudraw_main source/tools/mudraw.c:1919
    #18 0x5606bd8b7c70 in main source/tools/mutool.c:127
    #19 0x7fb0cc157f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #20 0x5606bd8b7489 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x153489)

Address 0x7fffd78f41c0 is located in stack of thread T0 at offset 64 in frame
    #0 0x5606bdb20943 in pdf_remap_cmap_range source/pdf/pdf-unicode.c:11

  This frame has 1 object(s):
    [32, 64) 'ucsbuf' <== Memory access at offset 64 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow source/pdf/pdf-cmap.c:845 in pdf_lookup_cmap_full
Shadow bytes around the buggy address:
  0x10007af167e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af167f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007af16830: f1 f1 f1 f1 00 00 00 00[f3]f3 f3 f3 00 00 00 00
  0x10007af16840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007af16880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5807==ABORTING
Comment 1 Sebastian Rasmussen 2018-02-01 12:54:03 UTC 
A different variation of bug 698883.

*** This bug has been marked as a duplicate of bug 698883 ***