Bug 699695 - oss-fuzz 6010: Null-dereference READ in fz_paint_pixmap_with_mask
Summary: oss-fuzz 6010: Null-dereference READ in fz_paint_pixmap_with_mask
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: muPDF bugs
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-30 13:16 UTC by Sebastian Rasmussen
Modified: 2019-05-08 14:01 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
Minimized PDF from oss-fuzz. (2.35 KB, application/pdf)
2018-08-30 13:16 UTC, Sebastian Rasmussen
Details
Minimized PDF from oss-fuzz. (1.76 KB, application/pdf)
2018-08-30 13:18 UTC, Sebastian Rasmussen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Rasmussen 2018-08-30 13:16:56 UTC
Created attachment 15544 [details]
Minimized PDF from oss-fuzz.

Running

build/sanitize/mutool draw -D -s t oss-fuzz-6010.pdf

results in

error: cannot find startxref
warning: trying to repair broken xref
warning: repairing PDF document
error: invalid key in dict
error: invalid key in dict
warning: object missing 'endobj' token
error: invalid key in dict
warning: ignoring broken object (6 0 R)
error: invalid key in dict
warning: ignoring broken object (29 0 R)
warning: expected 'endobj' or 'stream' keyword (43 0 R)
warning: expected 'endobj' or 'stream' keyword (44 0 R)
error: cannot create appearance stream
warning: cannot create appearance stream
error: cannot create appearance stream
warning: cannot create appearance stream
error: cannot create appearance stream
warning: cannot create appearance stream
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
page oss-fuzz-6010.pdf 1error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: zlib error: invalid distance too far back
warning: read error; treating as end of file
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
error: invalid key in dict
warning: cannot load object (6 0 R) into cache
warning: ignoring zlib error: incorrect data check
warning: ... repeated 3 times ...
warning: lcms error: Couldn't link the profiles
error: cmsCreateTransform failed
warning: unrecoverable error; ignoring rest of page
warning: items left on stack in draw device: 1
 7ms
total 7ms / 1 pages for an average of 7ms
fastest page 1: 7ms
slowest page 1: 7ms

=================================================================
==13151==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221
    #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23
    #3 0x558e3e3960f1 in fz_calloc source/fitz/memory.c:125
    #4 0x558e3e3c82cc in fz_new_pixmap_with_data source/fitz/pixmap.c:49
    #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102
    #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109
    #7 0x558e3e2e509c in fz_draw_begin_group source/fitz/draw-device.c:2318
    #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413
    #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183
    #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638
    #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649
    #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625
    #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937
    #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031
    #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301
    #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997
    #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081
    #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37
    #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155
    #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392
    #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427
    #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487
    #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883
    #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177
    #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206
    #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916
    #27 0x558e3e24761b in main source/tools/mutool.c:132
    #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

Direct leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221
    #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23
    #3 0x558e3e3960f1 in fz_calloc source/fitz/memory.c:125
    #4 0x558e3e3c82cc in fz_new_pixmap_with_data source/fitz/pixmap.c:49
    #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102
    #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109
    #7 0x558e3e2e4f37 in fz_draw_begin_group source/fitz/draw-device.c:2308
    #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413
    #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183
    #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638
    #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649
    #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625
    #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937
    #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031
    #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301
    #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997
    #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081
    #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37
    #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155
    #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392
    #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427
    #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487
    #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883
    #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177
    #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206
    #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916
    #27 0x558e3e24761b in main source/tools/mutool.c:132
    #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

Indirect leak of 6480 byte(s) in 1 object(s) allocated from:
    #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221
    #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23
    #3 0x558e3e395e2a in fz_malloc_array source/fitz/memory.c:89
    #4 0x558e3e3c88ea in fz_new_pixmap_with_data source/fitz/pixmap.c:81
    #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102
    #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109
    #7 0x558e3e2e4f37 in fz_draw_begin_group source/fitz/draw-device.c:2308
    #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413
    #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183
    #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638
    #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649
    #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625
    #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937
    #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031
    #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301
    #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997
    #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081
    #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37
    #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155
    #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392
    #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427
    #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487
    #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883
    #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177
    #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206
    #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916
    #27 0x558e3e24761b in main source/tools/mutool.c:132
    #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

Indirect leak of 2160 byte(s) in 1 object(s) allocated from:
    #0 0x7f5be66b1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x558e3e3967c7 in fz_malloc_default source/fitz/memory.c:221
    #2 0x558e3e3959ff in do_scavenging_malloc source/fitz/memory.c:23
    #3 0x558e3e395e2a in fz_malloc_array source/fitz/memory.c:89
    #4 0x558e3e3c88ea in fz_new_pixmap_with_data source/fitz/pixmap.c:81
    #5 0x558e3e3c8ace in fz_new_pixmap source/fitz/pixmap.c:102
    #6 0x558e3e3c8cc1 in fz_new_pixmap_with_bbox source/fitz/pixmap.c:109
    #7 0x558e3e2e509c in fz_draw_begin_group source/fitz/draw-device.c:2318
    #8 0x558e3e2c21d3 in fz_begin_group source/fitz/device.c:413
    #9 0x558e3e5d5c7e in pdf_begin_group source/pdf/pdf-op-run.c:183
    #10 0x558e3e5dbf03 in pdf_show_path source/pdf/pdf-op-run.c:638
    #11 0x558e3e5e5a23 in pdf_run_f source/pdf/pdf-op-run.c:1649
    #12 0x558e3e5b5ca2 in pdf_process_keyword source/pdf/pdf-interpret.c:625
    #13 0x558e3e5b9bdb in pdf_process_stream source/pdf/pdf-interpret.c:937
    #14 0x558e3e5ba584 in pdf_process_contents source/pdf/pdf-interpret.c:1031
    #15 0x558e3e5e3255 in pdf_run_xobject source/pdf/pdf-op-run.c:1301
    #16 0x558e3e5e89e5 in pdf_run_Do_form source/pdf/pdf-op-run.c:1997
    #17 0x558e3e5baf76 in pdf_process_annot source/pdf/pdf-interpret.c:1081
    #18 0x558e3e4b1a2c in pdf_run_annot_with_usage source/pdf/pdf-run.c:37
    #19 0x558e3e4b2e92 in pdf_run_annot source/pdf/pdf-run.c:155
    #20 0x558e3e2c4d47 in fz_run_annot source/fitz/document.c:392
    #21 0x558e3e2c5006 in fz_run_page source/fitz/document.c:427
    #22 0x558e3e249a78 in drawband source/tools/mudraw.c:487
    #23 0x558e3e24ddf3 in dodrawpage source/tools/mudraw.c:883
    #24 0x558e3e250317 in drawpage source/tools/mudraw.c:1177
    #25 0x558e3e25083f in drawrange source/tools/mudraw.c:1206
    #26 0x558e3e2548a7 in mudraw_main source/tools/mudraw.c:1916
    #27 0x558e3e24761b in main source/tools/mutool.c:132
    #28 0x7f5be5de8b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

SUMMARY: AddressSanitizer: 8816 byte(s) leaked in 4 allocation(s).
Comment 1 Sebastian Rasmussen 2018-08-30 13:18:58 UTC
Created attachment 15545 [details]
Minimized PDF from oss-fuzz.

Another, related issue resulting in an assert

build/sanitize/mutool draw -D -s t oss-fuzz-8018.pdf
error: cannot recognize version marker
warning: trying to repair broken xref
warning: repairing PDF document
warning: object missing 'endobj' token
warning: ... repeated 4 times ...
warning: invalid indirect reference in dict
warning: expected 'endobj' or 'stream' keyword (2 0 R)
warning: invalid indirect reference in dict
warning: expected 'endobj' or 'stream' keyword (6 0 R)
warning: expected 'endobj' or 'stream' keyword (9 0 R)
warning: expected 'endobj' or 'stream' keyword (17 0 R)
error: syntax error in object (29 0 R)
warning: ignoring broken object (29 0 R)
warning: expected 'endobj' or 'stream' keyword (30 0 R)
warning: non-page object in page tree ()
page oss-fuzz-8018.pdf 1warning: premature end of data in flate filter
[...]
error: unknown keyword: 'l76'
error: unknown keyword: 'l7h76'
error: unknown keyword: 'n76'
error: unknown keyword: 'n76'
error: syntax error in content stream
error: unknown keyword: 'l7'
warning: premature end of data in flate filter
mutool: source/fitz/draw-device.c:2439: fz_draw_end_group: Assertion `state[0].dest != state[1].dest' failed.
Aborted
Comment 2 Sebastian Rasmussen 2018-08-30 13:24:48 UTC
Fixed in

commit 985fdcfc117a3bd4bc097cdcae8347b3787fbab2
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Wed Aug 22 22:39:56 2018 +0800

    Bug 699695: Remember to end groups/softmasks even upon exception.
    
    fz_fill_path() may throw an exception halfway through
    pdf_show_path(), which in this case would not attempt to end any
    begun groups or softmasks. This led to e.g. leaks of pixmaps held
    by a group that was never ended.
    
    Moving the cleanup to the always block is not foolproof because
    the cleanup code itself may also throw exceptions, hence
    preventing the end of the fz_always block from being executed.
    This commit does put pdf_show_path() in the same situation as
    pdf_run_xobject() that has the same problem with its cleanup
    code.
    
    Thanks to oss-fuzz for reporting.