Created attachment 14632 [details] Minimized PDF from oss-fuzz. Running build/sanitize/mutool draw -s t ./oss-fuzz-5604.pdf results in error: cannot recognize xref format warning: trying to repair broken xref warning: repairing PDF document warning: expected 'endobj' or 'stream' keyword (21 0 R) page ./oss-fuzz-5604.pdf 1warning: lcms error: Couldn't link the profiles error: cmsCreateTransform failed ================================================================= ==19237==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000a18 at pc 0x55e6c3aa9a4d bp 0x7fff745e7970 sp 0x7fff745e7968 READ of size 8 at 0x606000000a18 thread T0 #0 0x55e6c3aa9a4c in fz_fin_cached_color_converter source/fitz/colorspace.c:3679 #1 0x55e6c3ae75ba in fz_paint_shade source/fitz/draw-mesh.c:353 #2 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556 #3 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320 #4 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727 #5 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487 #6 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887 #7 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180 #8 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209 #9 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919 #10 0x55e6c3a3d0f0 in main source/tools/mutool.c:127 #11 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) #12 0x55e6c3a3c909 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x155909) 0x606000000a18 is located 56 bytes inside of 64-byte region [0x6060000009e0,0x606000000a20) freed by thread T0 here: #0 0x7f4674d408c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) #1 0x55e6c3b7fd55 in fz_free_default source/fitz/memory.c:239 #2 0x55e6c3b7fc27 in fz_free source/fitz/memory.c:201 #3 0x55e6c3aa998b in fz_init_cached_color_converter source/fitz/colorspace.c:3665 #4 0x55e6c3ae5d7c in fz_paint_shade source/fitz/draw-mesh.c:250 #5 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556 #6 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320 #7 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727 #8 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487 #9 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887 #10 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180 #11 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209 #12 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919 #13 0x55e6c3a3d0f0 in main source/tools/mutool.c:127 #14 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) previously allocated by thread T0 here: #0 0x7f4674d40c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20) #1 0x55e6c3b7fd0e in fz_malloc_default source/fitz/memory.c:227 #2 0x55e6c3b7eece in do_scavenging_malloc source/fitz/memory.c:22 #3 0x55e6c3b7f5cc in fz_calloc source/fitz/memory.c:124 #4 0x55e6c3aa9663 in fz_init_cached_color_converter source/fitz/colorspace.c:3648 #5 0x55e6c3ae5d7c in fz_paint_shade source/fitz/draw-mesh.c:250 #6 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556 #7 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320 #8 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727 #9 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487 #10 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887 #11 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180 #12 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209 #13 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919 #14 0x55e6c3a3d0f0 in main source/tools/mutool.c:127 #15 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/colorspace.c:3679 in fz_fin_cached_color_converter Shadow bytes around the buggy address: 0x0c0c7fff80f0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff8100: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff8110: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff8120: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c7fff8130: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd =>0x0c0c7fff8140: fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c7fff8150: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==19237==ABORTING
After analysis this turns out to be a duplicate of issue 698891. *** This bug has been marked as a duplicate of bug 698891 ***
Agh, the status is wrong I mixed up the bug numbers, sorry. The heap use after free are resolved by the commits below. But then I see lots of memory leaks that I have not yet tracked down. commit 4889fe51af274e0c158a0a8a2e6132c700937427 Author: Sebastian Rasmussen <sebras@gmail.com> Date: Wed Jan 24 00:34:58 2018 +0100 Make sure to drop color converter when painting shades, even upon error. commit 8fdad62ddb46f8798643e9b1a564a2af8b12411d Author: Sebastian Rasmussen <sebras@gmail.com> Date: Wed Jan 24 00:59:35 2018 +0100 Bug 698904: Drop pixmap only once upon error when painting shades. If fz_new_pixmap_with_bbox() threw conv would be NULL and temp would be pointing to a pixmap that would be dropped 2 times. If fz_clone_pixmap_area_with_different_seps() threw temp and conv would be pointing to the same pixmap that would be dropped 3 times. commit 83d4dae44c71816c084a635550acc1a51529b881 Author: Sebastian Rasmussen <sebras@gmail.com> Date: Tue Jan 23 16:43:59 2018 +0100 Bug 698904: Upon error both free color converter and clear its pointer. Without this change future calls to fz_fin_cached_color_converter() will try to dereference the already freed pointer.
I have a tentative patch awaiting review in commit 511e8b02a93fb9371ceed38582631fbded1edf34.
This was fixed in commit f51836b9732c38d945b87fda0770009a77ba680c Author: Sebastian Rasmussen <sebras@gmail.com> Date: Fri Feb 2 21:45:49 2018 +0100 Bug 698901: Drop pixmaps/knockout group upon error when ending group. Previously the call to fz_convert_pixmap() threw causing a destination pixmap leak. This illustrated a bigger issue with the error handling so now all types of pixmaps are dropped and care is taken to also end the knockout group, should there be any.