Bug 698901 - oss-fuzz 5604: Claimed heap-use-after-free in fz_fin_cached_color_converter()
Summary: oss-fuzz 5604: Claimed heap-use-after-free in fz_fin_cached_color_converter()
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: MuPDF bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-23 05:42 UTC by Sebastian Rasmussen
Modified: 2019-05-08 14:01 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
Minimized PDF from oss-fuzz. (26.31 KB, application/pdf)
2018-01-23 05:42 UTC, Sebastian Rasmussen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Rasmussen 2018-01-23 05:42:53 UTC
Created attachment 14632 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz-5604.pdf

results in

error: cannot recognize xref format
warning: trying to repair broken xref
warning: repairing PDF document
warning: expected 'endobj' or 'stream' keyword (21 0 R)
page ./oss-fuzz-5604.pdf 1warning: lcms error: Couldn't link the profiles
error: cmsCreateTransform failed
=================================================================
==19237==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000a18 at pc 0x55e6c3aa9a4d bp 0x7fff745e7970 sp 0x7fff745e7968
READ of size 8 at 0x606000000a18 thread T0
    #0 0x55e6c3aa9a4c in fz_fin_cached_color_converter source/fitz/colorspace.c:3679
    #1 0x55e6c3ae75ba in fz_paint_shade source/fitz/draw-mesh.c:353
    #2 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #3 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320
    #4 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727
    #5 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487
    #6 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887
    #7 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180
    #8 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209
    #9 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919
    #10 0x55e6c3a3d0f0 in main source/tools/mutool.c:127
    #11 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #12 0x55e6c3a3c909 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x155909)

0x606000000a18 is located 56 bytes inside of 64-byte region [0x6060000009e0,0x606000000a20)
freed by thread T0 here:
    #0 0x7f4674d408c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x55e6c3b7fd55 in fz_free_default source/fitz/memory.c:239
    #2 0x55e6c3b7fc27 in fz_free source/fitz/memory.c:201
    #3 0x55e6c3aa998b in fz_init_cached_color_converter source/fitz/colorspace.c:3665
    #4 0x55e6c3ae5d7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #5 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #6 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320
    #7 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727
    #8 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487
    #9 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887
    #10 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180
    #11 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209
    #12 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919
    #13 0x55e6c3a3d0f0 in main source/tools/mutool.c:127
    #14 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7f4674d40c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x55e6c3b7fd0e in fz_malloc_default source/fitz/memory.c:227
    #2 0x55e6c3b7eece in do_scavenging_malloc source/fitz/memory.c:22
    #3 0x55e6c3b7f5cc in fz_calloc source/fitz/memory.c:124
    #4 0x55e6c3aa9663 in fz_init_cached_color_converter source/fitz/colorspace.c:3648
    #5 0x55e6c3ae5d7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #6 0x55e6c3acd012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #7 0x55e6c3ab336c in fz_fill_shade source/fitz/device.c:320
    #8 0x55e6c3b4eeee in fz_run_display_list source/fitz/list-device.c:1727
    #9 0x55e6c3a3f35d in drawband source/tools/mudraw.c:487
    #10 0x55e6c3a43181 in dodrawpage source/tools/mudraw.c:887
    #11 0x55e6c3a45510 in drawpage source/tools/mudraw.c:1180
    #12 0x55e6c3a45a57 in drawrange source/tools/mudraw.c:1209
    #13 0x55e6c3a49a44 in mudraw_main source/tools/mudraw.c:1919
    #14 0x55e6c3a3d0f0 in main source/tools/mutool.c:127
    #15 0x7f4673ed7f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/colorspace.c:3679 in fz_fin_cached_color_converter
Shadow bytes around the buggy address:
  0x0c0c7fff80f0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8100: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8110: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff8120: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8130: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff8140: fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8150: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19237==ABORTING
Comment 1 Sebastian Rasmussen 2018-02-01 16:15:12 UTC
After analysis this turns out to be a duplicate of issue 698891.

*** This bug has been marked as a duplicate of bug 698891 ***
Comment 2 Sebastian Rasmussen 2018-02-02 12:13:41 UTC
Agh, the status is wrong I mixed up the bug numbers, sorry.

The heap use after free are resolved by the commits below. But then I see lots of memory leaks that I have not yet tracked down.


commit 4889fe51af274e0c158a0a8a2e6132c700937427
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Wed Jan 24 00:34:58 2018 +0100

    Make sure to drop color converter when painting shades, even upon error.

commit 8fdad62ddb46f8798643e9b1a564a2af8b12411d
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Wed Jan 24 00:59:35 2018 +0100

    Bug 698904: Drop pixmap only once upon error when painting shades.
    
    If fz_new_pixmap_with_bbox() threw conv would be NULL and temp would
    be pointing to a pixmap that would be dropped 2 times.
    
    If fz_clone_pixmap_area_with_different_seps() threw temp and conv
    would be pointing to the same pixmap that would be dropped 3 times.

commit 83d4dae44c71816c084a635550acc1a51529b881
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Jan 23 16:43:59 2018 +0100

    Bug 698904: Upon error both free color converter and clear its pointer.
    
    Without this change future calls to fz_fin_cached_color_converter()
    will try to dereference the already freed pointer.
Comment 3 Sebastian Rasmussen 2018-02-02 16:33:58 UTC
I have a tentative patch awaiting review in commit 511e8b02a93fb9371ceed38582631fbded1edf34.
Comment 4 Sebastian Rasmussen 2018-03-01 22:35:02 UTC
This was fixed in

commit f51836b9732c38d945b87fda0770009a77ba680c
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Fri Feb 2 21:45:49 2018 +0100

    Bug 698901: Drop pixmaps/knockout group upon error when ending group.
    
    Previously the call to fz_convert_pixmap() threw causing a destination
    pixmap leak. This illustrated a bigger issue with the error handling
    so now all types of pixmaps are dropped and care is taken to also end
    the knockout group, should there be any.