Bug 700043 - there is a out-of-bound-read bug in font.c:1398
Summary: there is a out-of-bound-read bug in font.c:1398
Alias: None
Product: MuPDF
Classification: Unclassified
Component: svg output (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Robin Watts
QA Contact: Bug traffic
Depends on:
Reported: 2018-10-26 08:24 UTC by kuaicar87
Modified: 2018-12-17 20:01 UTC (History)
3 users (show)

See Also:
Word Size: ---


Note You need to log in before you can comment on or make changes to this bug.
Description kuaicar87 2018-10-26 08:24:48 UTC
With the attached pdf file, while write to a svg file, due to an out-of-bound-read problem in font.c:1398, this will lead to Segmentation fault. 

Below is the asan output of the program and backtrace of gdb:

warning: ignoring zlib error: incorrect data check
page 222.pdf 1warning: ... repeated 2 times ...
warning: freetype load glyph (gid 20537): invalid argument
==11234==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000281c8 (pc 0x55f67eb20400 bp 0x7ffca69a8bb0 sp 0x7ffca69a8af0 T0)
==11234==The signal is caused by a READ memory access.
    #0 0x55f67eb203ff in fz_run_t3_glyph source/fitz/font.c:1398
    #1 0x55f67ebf4cc8 in svg_dev_text_span_as_paths_defs source/fitz/svg-device.c:495
    #2 0x55f67ebf6bf1 in svg_dev_fill_text source/fitz/svg-device.c:684
    #3 0x55f67eaa9a35 in fz_fill_text source/fitz/device.c:199
    #4 0x55f67eb4a806 in fz_run_display_list source/fitz/list-device.c:1718
    #5 0x55f67ea3476e in dodrawpage source/tools/mudraw.c:690
    #6 0x55f67ea38876 in drawpage source/tools/mudraw.c:1178
    #7 0x55f67ea38dc5 in drawrange source/tools/mudraw.c:1207
    #8 0x55f67ea3cf15 in mudraw_main source/tools/mudraw.c:1924
    #9 0x55f67ea2f9b5 in main source/tools/mutool.c:132
    #10 0x7fec6adc1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x55f67ea2f1b9 in _start (/home/fish/Desktop/2018-10-10/mupdf/sanitize/mutool+0x1491b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV source/fitz/font.c:1398 in fz_run_t3_glyph

gef➤  bt
#0  0x00005555555f9857 in fz_run_t3_glyph (ctx=0x555557b9d260, font=0x555557beea20, gid=0x5039, trm=..., dev=0x555557bca970) at source/fitz/font.c:1397
#1  0x0000555555648987 in svg_dev_text_span_as_paths_defs (ctx=0x555557b9d260, dev=0x555557bca970, span=0x555557bffa90, ctm=...) at source/fitz/svg-device.c:496
#2  0x0000555555649779 in svg_dev_fill_text (ctx=0x555557b9d260, dev=0x555557bca970, text=0x555557bffa70, ctm=..., colorspace=0x555557bacf70, color=0x7fffffffd210, alpha=1, color_params=0x7fffffffd15c) at source/fitz/svg-device.c:685
#3  0x00005555555c9d4f in fz_fill_text (ctx=0x555557b9d260, dev=0x555557bca970, text=0x555557bffa70, ctm=..., colorspace=0x555557bacf70, color=0x7fffffffd210, alpha=1, color_params=0x7fffffffd15c) at source/fitz/device.c:199
#4  0x00005555556087c6 in fz_run_display_list (ctx=0x555557b9d260, list=0x555557bc9780, dev=0x555557bca970, top_ctm=..., scissor=..., cookie=0x7fffffffd900) at source/fitz/list-device.c:1717
#5  0x0000555555595aab in dodrawpage (ctx=0x555557b9d260, page=0x555557bc8b00, list=0x555557bc9780, pagenum=0x1, cookie=0x7fffffffd900, start=0x0, interptime=0x0, filename=0x7fffffffe253 "222.pdf", bg=0x0, seps=0x0) at source/tools/mudraw.c:688
#6  0x0000555555597996 in drawpage (ctx=0x555557b9d260, doc=0x555557bb67f0, pagenum=0x1) at source/tools/mudraw.c:1176
#7  0x0000555555597b0e in drawrange (ctx=0x555557b9d260, doc=0x555557bb67f0, range=0x5555558de254 "") at source/tools/mudraw.c:1205
#8  0x0000555555599c3b in mudraw_main (argc=0x6, argv=0x7fffffffde50) at source/tools/mudraw.c:1922
#9  0x0000555555593972 in main (argc=0x7, argv=0x7fffffffde48) at source/tools/mutool.c:132
#10 0x00007ffff6fd0b97 in __libc_start_main (main=0x5555555936cc <main>, argc=0x7, argv=0x7fffffffde48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde38) at ../csu/libc-start.c:310
#11 0x000055555559357a in _start ()

The poc can be found at https://github.com/TeamSeri0us/pocs/blob/master/mupdf/out-of-bound-read-font.c:1397
Comment 1 Tor Andersson 2018-11-07 14:14:13 UTC
commit 164ddc22ee0d5b63a81d5148f44c37dd132a9356
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Mon Nov 5 17:49:09 2018 +0100

    Fix 700043: Don't assume a font is t3 just because fz_outline_glyph fails.
Comment 2 Craig Younkins 2018-12-17 20:01:18 UTC
I'd like to request a release for this CVE. Ref: https://github.com/NixOS/nixpkgs/issues/51740