698901 – oss-fuzz 5604: Claimed heap-use-after-free in fz_fin_cached_color_converter()

Bug 698901 - oss-fuzz 5604: Claimed heap-use-after-free in fz_fin_cached_color_converter()

Summary: oss-fuzz 5604: Claimed heap-use-after-free in fz_fin_cached_color_converter()

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	mupdf (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-01-23 05:42 UTC by Sebastian Rasmussen
Modified:	2019-05-08 14:01 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
Minimized PDF from oss-fuzz. (26.31 KB, application/pdf) 2018-01-23 05:42 UTC, Sebastian Rasmussen	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Rasmussen 2018-01-23 05:42:53 UTC

Created attachment 14632 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz-5604.pdf

results in

error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
warning: expected 'endobj' or 'stream' keyword (21 0 R)
page ./oss-fuzz-5604.pdf 1warning: lcms error: Couldn't link the profiles
error: cmsCreateTransform failed
=================================================================
==19237==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000a18 at pc 0x55e6c3aa9a4d bp 0x7fff745e7970 sp 0x7fff745e7968
READ of size 8 at 0x606000000a18 thread T0
    #0 0x55e6c3aa9a4c in fz_fin_cached_color_converter source/fitz/colorspace.c:3679
    #1 0x55e6c3ae75ba in fz_paint_shade source/fitz/draw-mesh.c:353
    #2 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #3 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320
    #4 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727
    #5 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487
    #6 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887
    #7 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180
    #8 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209
    #9 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919
    #10 0x55e6c3a3d0f0 in main source/tools/mutool.c:127
    #11 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #12 0x55e6c3a3c909 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x155909)

0x606000000a18 is located 56 bytes inside of 64-byte region [0x6060000009e0,0x606000000a20)
freed by thread T0 here:
    #0 0x7f4674d408c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x55e6c3b7fd55 in fz_free_default source/fitz/memory.c:239
    #2 0x55e6c3b7fc27 in fz_free source/fitz/memory.c:201
    #3 0x55e6c3aa998b in fz_init_cached_color_converter source/fitz/colorspace.c:3665
    #4 0x55e6c3ae5d7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #5 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #6 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320
    #7 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727
    #8 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487
    #9 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887
    #10 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180
    #11 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209
    #12 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919
    #13 0x55e6c3a3d0f0 in main source/tools/mutool.c:127
    #14 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7f4674d40c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x55e6c3b7fd0e in fz_malloc_default source/fitz/memory.c:227
    #2 0x55e6c3b7eece in do_scavenging_malloc source/fitz/memory.c:22
    #3 0x55e6c3b7f5cc in fz_calloc source/fitz/memory.c:124
    #4 0x55e6c3aa9663 in fz_init_cached_color_converter source/fitz/colorspace.c:3648
    #5 0x55e6c3ae5d7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #6 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #7 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320
    #8 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727
    #9 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487
    #10 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887
    #11 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180
    #12 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209
    #13 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919
    #14 0x55e6c3a3d0f0 in main source/tools/mutool.c:127
    #15 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/colorspace.c:3679 in fz_fin_cached_color_converter
Shadow bytes around the buggy address:
  0x0c0c7fff80f0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8100: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8110: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff8120: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8130: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff8140: fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8150: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19237==ABORTING

Comment 1 Sebastian Rasmussen 2018-02-01 16:15:12 UTC

After analysis this turns out to be a duplicate of issue 698891.

*** This bug has been marked as a duplicate of bug 698891 ***

Comment 2 Sebastian Rasmussen 2018-02-02 12:13:41 UTC

Agh, the status is wrong I mixed up the bug numbers, sorry.

The heap use after free are resolved by the commits below. But then I see lots of memory leaks that I have not yet tracked down.


commit 4889fe51af274e0c158a0a8a2e6132c700937427
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Wed Jan 24 00:34:58 2018 +0100

    Make sure to drop color converter when painting shades, even upon error.

commit 8fdad62ddb46f8798643e9b1a564a2af8b12411d
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Wed Jan 24 00:59:35 2018 +0100

    Bug 698904: Drop pixmap only once upon error when painting shades.
    
    If fz_new_pixmap_with_bbox() threw conv would be NULL and temp would
    be pointing to a pixmap that would be dropped 2 times.
    
    If fz_clone_pixmap_area_with_different_seps() threw temp and conv
    would be pointing to the same pixmap that would be dropped 3 times.

commit 83d4dae44c71816c084a635550acc1a51529b881
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Jan 23 16:43:59 2018 +0100

    Bug 698904: Upon error both free color converter and clear its pointer.
    
    Without this change future calls to fz_fin_cached_color_converter()
    will try to dereference the already freed pointer.

Comment 3 Sebastian Rasmussen 2018-02-02 16:33:58 UTC

I have a tentative patch awaiting review in commit 511e8b02a93fb9371ceed38582631fbded1edf34.

Comment 4 Sebastian Rasmussen 2018-03-01 22:35:02 UTC

This was fixed in

commit f51836b9732c38d945b87fda0770009a77ba680c
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Fri Feb 2 21:45:49 2018 +0100

    Bug 698901: Drop pixmaps/knockout group upon error when ending group.
    
    Previously the call to fz_convert_pixmap() threw causing a destination
    pixmap leak. This illustrated a bigger issue with the error handling
    so now all types of pixmaps are dropped and care is taken to also end
    the knockout group, should there be any.