701294 – heap-use-after-free at mupdf/source/fitz/svg-device.c:507:9

Bug 701294 - heap-use-after-free at mupdf/source/fitz/svg-device.c:507:9

Summary: heap-use-after-free at mupdf/source/fitz/svg-device.c:507:9

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	fuzzing (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-07-08 11:05 UTC by Suhwan
Modified:	2023-03-09 04:46 UTC (History)
CC List:	2 users (show)

See Also:
Customer:
Word Size:	---

Attachments
file which triggers heap use after free (120.50 KB, application/pdf) 2019-07-08 11:05 UTC, Suhwan	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Suhwan 2019-07-08 11:05:38 UTC

Created attachment 17820 [details]
file which triggers heap use after free

Description:
There's a heap-use-after-free at mupdf/source/fitz/svg-device.c:507:9 in svg_dev_text_span_as_paths_defs.

Step to Reproduce:
I ran following command line to trigger this issue.
mutool  draw  -o tmp_.svg -R 832 -r 5 -w 460 -h 22 -W 601 -H 178 -S 47 -G 0.72 221.pdf

Here's ASAN log.
==26059==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100002e038 at pc 0x0000007f69af bp 0x7ffd93a92550 sp 0x7ffd93a92548
READ of size 8 at 0x61100002e038 thread T0
    #0 0x7f69ae in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:507:9
    #1 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10
    #2 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4
    #3 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5
    #4 0x4fc5ce in dodrawpage mupdf/source/tools/mudraw.c:680:5
    #5 0x501592 in drawpage mupdf/source/tools/mudraw.c:1165:3
    #6 0x4f9c5a in drawrange mupdf/source/tools/mudraw.c:1181:6
    #7 0x4f6ba4 in mudraw_main mupdf/source/tools/mudraw.c:1914:7
    #8 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12
    #9 0x7f1fab30fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41c019 in _start (mupdf/mutool+0x41c019)

0x61100002e038 is located 248 bytes inside of 256-byte region [0x61100002df40,0x61100002e040)
freed by thread T0 here:
    #0 0x4a8ed8 in realloc opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:164
    #1 0x71364e in do_scavenging_realloc mupdf/source/fitz/memory.c:50:7
    #2 0x712a08 in fz_realloc mupdf/source/fitz/memory.c:119:6
    #3 0x7f55c8 in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:444:18
    #4 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10
    #5 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4
    #6 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5
    #7 0x673cc6 in fz_run_t3_glyph mupdf/source/fitz/font.c:1675:2
    #8 0x7f62cd in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:503:5
    #9 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10
    #10 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4
    #11 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5
    #12 0x4fc5ce in dodrawpage mupdf/source/tools/mudraw.c:680:5
    #13 0x501592 in drawpage mupdf/source/tools/mudraw.c:1165:3
    #14 0x4f9c5a in drawrange mupdf/source/tools/mudraw.c:1181:6
    #15 0x4f6ba4 in mudraw_main mupdf/source/tools/mudraw.c:1914:7
    #16 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12
    #17 0x7f1fab30fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 here:
    #0 0x4a8ed8 in realloc opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:164
    #1 0x71364e in do_scavenging_realloc mupdf/source/fitz/memory.c:50:7
    #2 0x712a08 in fz_realloc mupdf/source/fitz/memory.c:119:6
    #3 0x7f55c8 in svg_dev_text_span_as_paths_defs mupdf/source/fitz/svg-device.c:444:18
    #4 0x7e8d5a in svg_dev_fill_text mupdf/source/fitz/svg-device.c:692:10
    #5 0x57ab82 in fz_fill_text mupdf/source/fitz/device.c:220:4
    #6 0x6a8c1f in fz_run_display_list mupdf/source/fitz/list-device.c:1775:5
    #7 0x4fc5ce in dodrawpage mupdf/source/tools/mudraw.c:680:5
    #8 0x501592 in drawpage mupdf/source/tools/mudraw.c:1165:3
    #9 0x4f9c5a in drawrange mupdf/source/tools/mudraw.c:1181:6
    #10 0x4f6ba4 in mudraw_main mupdf/source/tools/mudraw.c:1914:7
    #11 0x4ed9d0 in main mupdf/source/tools/mutool.c:130:12
    #12 0x7f1fab30fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free mupdf/source/fitz/svg-device.c:507:9 in svg_dev_text_span_as_paths_defs
Shadow bytes around the buggy address:
  0x0c227fffdbb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fffdbc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffdbd0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c227fffdbe0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fffdbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fffdc00: fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa
  0x0c227fffdc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffdc20: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c227fffdc30: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fffdc40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffdc50: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26059==ABORTING

system: 
Ubuntu 18.04LTS
CC=clang-7, CXX=clang++-7, build=sanitize

Comment 1 Suhwan 2019-10-01 04:11:38 UTC

In git-master, this UAF is triggered.
Please confirm.

Thanks.

Env
OS: Ubuntu 18.04 64bit
Version: commit a1e68d36d007ad8cda480c586b77e1d5af77a495

Steps to reproduce:
1.Download the POC files.
2.Compile the source code with ASan.
3.Execute the following command
./mutool  draw  -o tmp_.svg -R 832 -r 5 -w 460 -h 22 -W 601 -H 178 -S 47 -G 0.72 $PoC

Comment 2 theshoals 2020-06-22 04:23:21 UTC

This bug was fixed by commit 8719e07834d6a72b6b4131539e49ed1e8e2ff79e

Comment 3 Sebastian Rasmussen 2023-03-09 04:46:38 UTC

(In reply to theshoals from comment #2)
> This bug was fixed by commit 8719e07834d6a72b6b4131539e49ed1e8e2ff79e

I agree, this was indeed fixed by the commit below. Moreoever I verified that the issue does not exist on current master commit b6570e41cf24b53a8c98b35da12e0d082705f72b either

commit 8719e07834d6a72b6b4131539e49ed1e8e2ff79e
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Wed Jun 3 18:10:43 2020 +0200

    Bug 701295: Fix use of stale pointer after realloc.
    
    fz_run_t3_glyph may cause recursion, which means that
    svg_dev_text_span_as_path_defs needs to be re-entrant at that point.
    Recalculate the 'fnt' pointer from the sdev->fonts array after calling
    a function that may trigger an array realloc.