Created attachment 14623 [details] Minimized PDF from oss-fuzz. Running build/sanitize/mutool draw -s t ./oss-fuzz-5521.pdf causes error: cannot recognize xref format warning: trying to repair broken xref warning: repairing PDF document warning: ignoring invalid character in hex string warning: ... repeated 18 times ... warning: object missing 'endobj' token error: pdf object stream missing (9 0 R) error: unknown keyword: 'eam' error: syntax error in content stream error: syntax error in content stream error: syntax error in content stream error: syntax error in content stream error: pdf object stream missing (9 0 R) error: syntax error in content stream warning: invalid indirect reference in dict error: syntax error in content stream page ./oss-fuzz-5521.pdf 1================================================================= ==9996==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000040 at pc 0x55c4d15fe83e bp 0x7ffebc4dfbe0 sp 0x7ffebc4dfbd8 READ of size 4 at 0x613000000040 thread T0 #0 0x55c4d15fe83d in fz_keep_imp source/fitz/fitz-imp.h:135 #1 0x55c4d15fecb2 in fz_keep_storable source/fitz/store.c:74 #2 0x55c4d15fed4a in fz_keep_key_storable source/fitz/store.c:97 #3 0x55c4d14ace50 in fz_keep_colorspace source/fitz/colorspace.c:276 #4 0x55c4d15695a1 in fz_run_display_list source/fitz/list-device.c:1477 #5 0x55c4d145b09d in drawband source/tools/mudraw.c:487 #6 0x55c4d145eec1 in dodrawpage source/tools/mudraw.c:887 #7 0x55c4d1461250 in drawpage source/tools/mudraw.c:1180 #8 0x55c4d1461797 in drawrange source/tools/mudraw.c:1209 #9 0x55c4d1465784 in mudraw_main source/tools/mudraw.c:1919 #10 0x55c4d1458e30 in main source/tools/mutool.c:130 #11 0x7f015b334f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) #12 0x55c4d1458649 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x153649) 0x613000000040 is located 0 bytes inside of 376-byte region [0x613000000040,0x6130000001b8) freed by thread T0 here: #0 0x7f015bd0c8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) #1 0x55c4d159c239 in fz_free_default source/fitz/memory.c:239 #2 0x55c4d159c10b in fz_free source/fitz/memory.c:201 #3 0x55c4d14ac982 in fz_drop_colorspace_imp source/fitz/colorspace.c:229 #4 0x55c4d15ffac5 in fz_drop_key_storable source/fitz/store.c:218 #5 0x55c4d14ace75 in fz_drop_colorspace source/fitz/colorspace.c:282 #6 0x55c4d17ea8e3 in pdf_drop_material source/pdf/pdf-op-run.c:238 #7 0x55c4d17fb256 in pdf_drop_run_processor source/pdf/pdf-op-run.c:2026 #8 0x55c4d17c64f5 in pdf_drop_processor source/pdf/pdf-interpret.c:35 #9 0x55c4d16baa82 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:90 #10 0x55c4d16bad8c in pdf_run_page_contents source/pdf/pdf-run.c:110 #11 0x55c4d14d3020 in fz_run_page_contents source/fitz/document.c:368 #12 0x55c4d14d32e2 in fz_run_page source/fitz/document.c:400 #13 0x55c4d146060a in drawpage source/tools/mudraw.c:1091 #14 0x55c4d1461797 in drawrange source/tools/mudraw.c:1209 #15 0x55c4d1465784 in mudraw_main source/tools/mudraw.c:1919 #16 0x55c4d1458e30 in main source/tools/mutool.c:130 #17 0x7f015b334f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) previously allocated by thread T0 here: #0 0x7f015bd0cc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20) #1 0x55c4d159c1f2 in fz_malloc_default source/fitz/memory.c:227 #2 0x55c4d159b3b2 in do_scavenging_malloc source/fitz/memory.c:22 #3 0x55c4d159bab0 in fz_calloc source/fitz/memory.c:124 #4 0x55c4d14acae3 in fz_new_colorspace source/fitz/colorspace.c:252 #5 0x55c4d14c6ab4 in fz_new_icc_colorspace source/fitz/colorspace.c:3805 #6 0x55c4d14b1342 in fz_set_cmm_engine source/fitz/colorspace.c:841 #7 0x55c4d14b1573 in fz_new_colorspace_context source/fitz/colorspace.c:860 #8 0x55c4d14ca1bd in fz_new_context_imp source/fitz/context.c:264 #9 0x55c4d1463c98 in mudraw_main source/tools/mudraw.c:1591 #10 0x55c4d1458e30 in main source/tools/mutool.c:130 #11 0x7f015b334f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/fitz-imp.h:135 in fz_keep_imp Shadow bytes around the buggy address: 0x0c267fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c267fff8000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c267fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9996==ABORTING
After analyzing this issue it was revealed that the underlying cause is the same as in 698891. *** This bug has been marked as a duplicate of bug 698891 ***