Bug 698891 - oss-fuzz 5513: Claimed use-after-free of colorspace
Summary: oss-fuzz 5513: Claimed use-after-free of colorspace
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: MuPDF bugs
URL:
Keywords:
: 698892 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-01-22 07:36 UTC by Sebastian Rasmussen
Modified: 2019-05-08 13:50 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
Minimized PDF from oss-fuzz. (1.77 KB, application/pdf)
2018-01-22 07:36 UTC, Sebastian Rasmussen 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Rasmussen 2018-01-22 07:36:25 UTC 
Running

build/sanitize/mutool draw -s t ./oss-fuzz-5513.pdf

causes

error: cannot recognize version marker
warning: trying to repair broken xref
warning: repairing PDF document
warning: invalid indirect reference in dict
error: invalid key in dict
warning: expected 'endobj' or 'stream' keyword (9 0 R)
warning: invalid indirect reference in dict
error: invalid key in dict
warning: ignoring broken object (10 0 R)
error: pdf object stream missing (9 0 R)
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
warning: invalid indirect reference in dict
error: invalid key in dict
warning: invalid indirect reference in dict
error: invalid key in dict
warning: cannot load object (10 0 R) into cache
page ./oss-fuzz-5513.pdf 1 8ms
total 8ms / 1 pages for an average of 8ms
fastest page 1: 8ms
slowest page 1: 8ms
=================================================================
==9969==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000040 at pc 0x55ac5728791e bp 0x7ffe7be89df0 sp 0x7ffe7be89de8
READ of size 4 at 0x613000000040 thread T0
    #0 0x55ac5728791d in fz_drop_key_storable source/fitz/store.c:189
    #1 0x55ac57134e75 in fz_drop_colorspace source/fitz/colorspace.c:282
    #2 0x55ac57139737 in fz_drop_colorspace_context source/fitz/colorspace.c:891
    #3 0x55ac5715184d in fz_drop_context source/fitz/context.c:165
    #4 0x55ac570ee2df in mudraw_main source/tools/mudraw.c:2035
    #5 0x55ac570e0e30 in main source/tools/mutool.c:130
    #6 0x7f7638bc6f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #7 0x55ac570e0649 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x153649)

0x613000000040 is located 0 bytes inside of 376-byte region [0x613000000040,0x6130000001b8)
freed by thread T0 here:
    #0 0x7f763959e8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x55ac57224239 in fz_free_default source/fitz/memory.c:239
    #2 0x55ac5722410b in fz_free source/fitz/memory.c:201
    #3 0x55ac57134982 in fz_drop_colorspace_imp source/fitz/colorspace.c:229
    #4 0x55ac57288493 in evict source/fitz/store.c:300
    #5 0x55ac5728a99b in fz_empty_store source/fitz/store.c:664
    #6 0x55ac5728aaea in fz_drop_store_context source/fitz/store.c:683
    #7 0x55ac5715181d in fz_drop_context source/fitz/context.c:161
    #8 0x55ac570ee2df in mudraw_main source/tools/mudraw.c:2035
    #9 0x55ac570e0e30 in main source/tools/mutool.c:130
    #10 0x7f7638bc6f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7f763959ec20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x55ac572241f2 in fz_malloc_default source/fitz/memory.c:227
    #2 0x55ac572233b2 in do_scavenging_malloc source/fitz/memory.c:22
    #3 0x55ac57223ab0 in fz_calloc source/fitz/memory.c:124
    #4 0x55ac57134ae3 in fz_new_colorspace source/fitz/colorspace.c:252
    #5 0x55ac5714eab4 in fz_new_icc_colorspace source/fitz/colorspace.c:3805
    #6 0x55ac57139342 in fz_set_cmm_engine source/fitz/colorspace.c:841
    #7 0x55ac57139573 in fz_new_colorspace_context source/fitz/colorspace.c:860
    #8 0x55ac571521bd in fz_new_context_imp source/fitz/context.c:264
    #9 0x55ac570ebc98 in mudraw_main source/tools/mudraw.c:1591
    #10 0x55ac570e0e30 in main source/tools/mutool.c:130
    #11 0x7f7638bc6f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/store.c:189 in fz_drop_key_storable
Shadow bytes around the buggy address:
  0x0c267fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff8000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c267fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9969==ABORTING
Comment 1 Sebastian Rasmussen 2018-01-22 07:36:51 UTC 
Created attachment 14622 [details]
Minimized PDF from oss-fuzz.
Comment 2 Sebastian Rasmussen 2018-02-01 15:53:57 UTC 
I have a tentative fix in commit 5f2bec0160f9ecfb8660b7115d3bae5243866cca awaiting review.
Comment 3 Sebastian Rasmussen 2018-02-01 16:00:04 UTC 
*** Bug 698892 has been marked as a duplicate of this bug. ***
Comment 4 Sebastian Rasmussen 2018-02-01 16:15:12 UTC 
*** Bug 698901 has been marked as a duplicate of this bug. ***
Comment 5 Sebastian Rasmussen 2018-02-02 08:58:54 UTC 
This was fixed in

commit 4dcc6affe04368461310a21238f7e1871a752a05
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Fri Feb 2 00:37:51 2018 +0100

    Bug 698891: Keep colorspace for luminosity transparency group.
    
    This was forgotten when a gray colorspace was used as a fallback
    in case a colorspace was never set. Thanks to oss-fuzz for reporting.