Created attachment 17818 [details] file which triggers heap buffer overflow There's a heap-buffer-overflow at fz_chartorune in fitz/string.c:388:6 please run following command to reproduce ( input file : 1.pdf ) mutool clean -s 1.pdf tmp_clean.pdf Here's ASAN Log ==17437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005cef at pc 0x0000007dee2c bp 0x7ffe5ce0d010 sp 0x7ffe5ce0d008 READ of size 1 at 0x602000005cef thread T0 #0 0x7dee2b in fz_chartorune mupdf/source/fitz/string.c:388:6 #1 0xb4ae76 in walk_string mupdf/source/pdf/pdf-op-filter.c:557:11 #2 0xb4ae76 in mcid_char_imp mupdf/source/pdf/pdf-op-filter.c:612 #3 0xb49d2e in mcid_char mupdf/source/pdf/pdf-op-filter.c:650:3 #4 0xb49d2e in filter_string_to_segment mupdf/source/pdf/pdf-op-filter.c:706 #5 0xb487df in filter_show_string mupdf/source/pdf/pdf-op-filter.c:779:3 #6 0xb1b51e in pdf_process_keyword mupdf/source/pdf/pdf-interpret.c #7 0xb14365 in pdf_process_stream mupdf/source/pdf/pdf-interpret.c:931:6 #8 0xb12db2 in pdf_process_contents mupdf/source/pdf/pdf-interpret.c:1026:3 #9 0xae304e in pdf_filter_page_contents mupdf/source/pdf/pdf-clean.c:221:4 #10 0xae2939 in pdf_clean_page_contents mupdf/source/pdf/pdf-clean.c:169:2 #11 0x91002d in clean_content_streams mupdf/source/pdf/pdf-write.c:2883:4 #12 0x90468f in prepare_for_save mupdf/source/pdf/pdf-write.c:3108:3 #13 0x90ea59 in pdf_save_document mupdf/source/pdf/pdf-write.c:3521:2 #14 0x8453a8 in pdf_clean_file mupdf/source/pdf/pdf-clean-file.c:334:3 #15 0x53640f in pdfclean_main mupdf/source/tools/pdfclean.c:117:3 #16 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12 #17 0x7f2176234b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #18 0x41c019 in _start (mupdf/mutool+0x41c019) 0x602000005cef is located 1 bytes to the left of 1-byte region [0x602000005cf0,0x602000005cf1) allocated by thread T0 here: #0 0x4a8b40 in malloc opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:145 #1 0x70e69b in do_scavenging_malloc mupdf/source/fitz/memory.c:30:7 #2 0x70e69b in fz_malloc mupdf/source/fitz/memory.c:68 #3 0x8e7335 in pdf_new_utf8_from_pdf_string mupdf/source/pdf/pdf-parse.c #4 0x8ea236 in pdf_new_utf8_from_pdf_string_obj mupdf/source/pdf/pdf-parse.c:259:9 #5 0xb3d245 in pdf_filter_BDC mupdf/source/pdf/pdf-op-filter.c:1716:18 #6 0xb1c5f3 in pdf_process_BDC mupdf/source/pdf/pdf-interpret.c:487:3 #7 0xb1c5f3 in pdf_process_keyword mupdf/source/pdf/pdf-interpret.c:762 #8 0xb14365 in pdf_process_stream mupdf/source/pdf/pdf-interpret.c:931:6 #9 0xb12db2 in pdf_process_contents mupdf/source/pdf/pdf-interpret.c:1026:3 #10 0xae304e in pdf_filter_page_contents mupdf/source/pdf/pdf-clean.c:221:4 #11 0xae2939 in pdf_clean_page_contents mupdf/source/pdf/pdf-clean.c:169:2 #12 0x91002d in clean_content_streams mupdf/source/pdf/pdf-write.c:2883:4 #13 0x90468f in prepare_for_save mupdf/source/pdf/pdf-write.c:3108:3 #14 0x90ea59 in pdf_save_document mupdf/source/pdf/pdf-write.c:3521:2 #15 0x8453a8 in pdf_clean_file mupdf/source/pdf/pdf-clean-file.c:334:3 #16 0x53640f in pdfclean_main mupdf/source/tools/pdfclean.c:117:3 #17 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12 #18 0x7f2176234b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow mupdf/source/fitz/string.c:388:6 in fz_chartorune Shadow bytes around the buggy address: 0x0c047fff8b40: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 07 fa 0x0c047fff8b50: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 07 fa 0x0c047fff8b60: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 00 00 0x0c047fff8b70: fa fa 07 fa fa fa 00 01 fa fa 00 fa fa fa 07 fa 0x0c047fff8b80: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa fa 07 fa =>0x0c047fff8b90: fa fa 00 00 fa fa 07 fa fa fa 00 01 fa[fa]01 fa 0x0c047fff8ba0: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8bb0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8bc0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8bd0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8be0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==17437==ABORTING
commit 97096297d409ec6f206298444ba00719607e8ba8 Author: Tor Andersson <tor.andersson@artifex.com> Date: Thu Jul 25 12:10:01 2019 +0200 Bug 701292: Fix test for missing/empty string.