Bug 698904 - oss-fuzz 5609: Claimed use-of-uninitialized value in fz_drop_hash_table()
Summary: oss-fuzz 5609: Claimed use-of-uninitialized value in fz_drop_hash_table()
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: MuPDF bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-23 15:25 UTC by Sebastian Rasmussen
Modified: 2019-05-08 13:50 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
Minimzed PDF from oss-fuzz. (1.03 KB, application/pdf)
2018-01-23 15:25 UTC, Sebastian Rasmussen 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Rasmussen 2018-01-23 15:25:53 UTC 
Created attachment 14634 [details]
Minimzed PDF from oss-fuzz.

Running

build/sanitize/mutool draw -s t ./oss-fuzz/5609.pdf

leads to

error: cannot recognize version marker
warning: trying to repair broken xref
warning: repairing PDF document
warning: object missing 'endobj' token
warning: ... repeated 3 times ...
warning: expected 'endobj' or 'stream' keyword (1 0 R)
warning: expected 'endobj' or 'stream' keyword (2 0 R)
warning: expected 'endobj' or 'stream' keyword (4 0 R)
warning: expected 'endobj' or 'stream' keyword (6 0 R)
warning: expected 'endobj' or 'stream' keyword (7 0 R)
warning: expected 'endobj' or 'stream' keyword (9 0 R)
warning: expected 'endobj' or 'stream' keyword (14 0 R)
warning: expected 'endobj' or 'stream' keyword (17 0 R)
warning: non-page object in page tree ()
warning: non-positive sample function dimension size
warning: unknown font format, guessing type1 or truetype.
error: unknown keyword: 'ends'
page ./oss-fuzz/5609.pdf 1warning: lcms error: Wrong output color space on transform
error: cmsCreateTransform failed
=================================================================
==17330==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000718 at pc 0x563913143a4d bp 0x7ffdde9f9fc0 sp 0x7ffdde9f9fb8
READ of size 8 at 0x606000000718 thread T0
    #0 0x563913143a4c in fz_fin_cached_color_converter source/fitz/colorspace.c:3679
    #1 0x5639131815ba in fz_paint_shade source/fitz/draw-mesh.c:353
    #2 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #3 0x56391314d36c in fz_fill_shade source/fitz/device.c:320
    #4 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727
    #5 0x5639130d935d in drawband source/tools/mudraw.c:487
    #6 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887
    #7 0x5639130df510 in drawpage source/tools/mudraw.c:1180
    #8 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209
    #9 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919
    #10 0x5639130d70f0 in main source/tools/mutool.c:127
    #11 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #12 0x5639130d6909 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x155909)

0x606000000718 is located 56 bytes inside of 64-byte region [0x6060000006e0,0x606000000720)
freed by thread T0 here:
    #0 0x7f7e361808c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x563913219d55 in fz_free_default source/fitz/memory.c:239
    #2 0x563913219c27 in fz_free source/fitz/memory.c:201
    #3 0x56391314398b in fz_init_cached_color_converter source/fitz/colorspace.c:3665
    #4 0x56391317fd7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #5 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #6 0x56391314d36c in fz_fill_shade source/fitz/device.c:320
    #7 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727
    #8 0x5639130d935d in drawband source/tools/mudraw.c:487
    #9 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887
    #10 0x5639130df510 in drawpage source/tools/mudraw.c:1180
    #11 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209
    #12 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919
    #13 0x5639130d70f0 in main source/tools/mutool.c:127
    #14 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

previously allocated by thread T0 here:
    #0 0x7f7e36180c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x563913219d0e in fz_malloc_default source/fitz/memory.c:227
    #2 0x563913218ece in do_scavenging_malloc source/fitz/memory.c:22
    #3 0x5639132195cc in fz_calloc source/fitz/memory.c:124
    #4 0x563913143663 in fz_init_cached_color_converter source/fitz/colorspace.c:3648
    #5 0x56391317fd7c in fz_paint_shade source/fitz/draw-mesh.c:250
    #6 0x563913167012 in fz_draw_fill_shade source/fitz/draw-device.c:1556
    #7 0x56391314d36c in fz_fill_shade source/fitz/device.c:320
    #8 0x5639131e8eee in fz_run_display_list source/fitz/list-device.c:1727
    #9 0x5639130d935d in drawband source/tools/mudraw.c:487
    #10 0x5639130dd181 in dodrawpage source/tools/mudraw.c:887
    #11 0x5639130df510 in drawpage source/tools/mudraw.c:1180
    #12 0x5639130dfa57 in drawrange source/tools/mudraw.c:1209
    #13 0x5639130e3a44 in mudraw_main source/tools/mudraw.c:1919
    #14 0x5639130d70f0 in main source/tools/mutool.c:127
    #15 0x7f7e35317f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-use-after-free source/fitz/colorspace.c:3679 in fz_fin_cached_color_converter
Shadow bytes around the buggy address:
  0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff80b0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff80c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff80d0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff80e0: fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17330==ABORTING
Comment 1 Sebastian Rasmussen 2018-01-23 16:22:42 UTC 
I have a set of tentative patches awaiting review in commits bfc8340544d32fc819d681bf1cec68abb415985d and b950cd1b35ebb0fc87c6692628880f18e9b2240e.
Comment 2 Sebastian Rasmussen 2018-01-26 09:08:46 UTC 
Fixed in commits

commit 8fdad62ddb46f8798643e9b1a564a2af8b12411d
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Wed Jan 24 00:59:35 2018 +0100

    Bug 698904: Drop pixmap only once upon error when painting shades.
    
    If fz_new_pixmap_with_bbox() threw conv would be NULL and temp would
    be pointing to a pixmap that would be dropped 2 times.
    
    If fz_clone_pixmap_area_with_different_seps() threw temp and conv
    would be pointing to the same pixmap that would be dropped 3 times.


commit 83d4dae44c71816c084a635550acc1a51529b881
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Tue Jan 23 16:43:59 2018 +0100

    Bug 698904: Upon error both free color converter and clear its pointer.
    
    Without this change future calls to fz_fin_cached_color_converter()
    will try to dereference the already freed pointer.