[cairo] Heap-buffer-overflow in get_unaligned_be32
iasunsea at sina.com
iasunsea at sina.com
Sun Jun 25 15:16:14 UTC 2023
when we do poppler fuzzer fusiontest-testcase-pdf_draw_fuzzer-202110250015 and fusiontest-testcase-pdf_draw_fuzzer-202110250016,we find cairo have heap buffer overflow, and we put bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch==445393==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000009d32 at pc 0x00000124ec5c bp 0x7fff520a9e00 sp 0x7fff520a9df8READ of size 1 at 0x604000009d32 thread T0#0 0x124ec5b in get_unaligned_be32 /src/cairo/_builddir/../src/cairoint.h:257:48#1 0x124e7e8 in _jpx_next_box /src/cairo/_builddir/../src/cairo-image-info.c:167:16#2 0x124e856 in _jpx_find_box /src/cairo/_builddir/../src/cairo-image-info.c:196:6#3 0x124e69a in _cairo_image_info_get_jpx_info /src/cairo/_builddir/../src/cairo-image-info.c:233:9#4 0x11f1c2a in _cairo_pdf_surface_emit_jpx_image /src/cairo/_builddir/../src/cairo-pdf-surface.c:3329:14#5 0x11e25c2 in _cairo_pdf_surface_emit_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:3753:11#6 0x11e7e65 in _cairo_pdf_surface_add_source_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:1735:14#7 0x11e5d51 in _cairo_pdf_surface_paint_surface_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5023:11#8 0x11e5418 in _cairo_pdf_surface_paint_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5166:9#9 0x11db7cc in _cairo_pdf_surface_paint /src/cairo/_builddir/../src/cairo-pdf-surface.c:7988:11#10 0x11a6f6c in _cairo_surface_paint /src/cairo/_builddir/../src/cairo-surface.c:2199:14#11 0x11a12d7 in _cairo_surface_wrapper_paint /src/cairo/_builddir/../src/cairo-surface-wrapper.c:162:14#12 0x11817de in _cairo_recording_surface_replay_internal /src/cairo/_builddir/../src/cairo-recording-surface.c:1862:15#13 0x11834f0 in _cairo_recording_surface_replay_region /src/cairo/_builddir/../src/cairo-recording-surface.c:2235:12#14 0x126ea1c in _paint_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:469:11#15 0x126d9be in _cairo_paginated_surface_show_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:583:14#16 0x11acadf in cairo_surface_show_page /src/cairo/_builddir/../src/cairo-surface.c:2506:40#17 0x6a33f0 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:66:9#18 0x5a91d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15#19 0x594942 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6#20 0x59a5e6 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9#21 0x5c3af2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10#22 0x7f698d26bb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)#23 0x5707f9 in _start (/root/oss-fuzz/build/out/poppler/pdf_draw_fuzzer+0x5707f9)0x604000009d32 is located 0 bytes to the right of 34-byte region [0x604000009d10,0x604000009d32)allocated by thread T0 here:#0 0x66fefd in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3#1 0x6ecc9b in gmalloc(unsigned long, bool) /src/poppler/goo/gmem.h:41:17#2 0x6f6bca in CairoOutputDev::getStreamData(Stream*, char**, int*) /src/poppler/poppler/CairoOutputDev.cc:2872:23#3 0x6f6888 in CairoOutputDev::setMimeData(GfxState*, Stream*, Object*, GfxImageColorMap*, _cairo_surface*, int) /src/poppler/poppler/CairoOutputDev.cc:3063:7#4 0x6f7a36 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/CairoOutputDev.cc:3311:7#5 0x81495e in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4583:7#6 0x7eb0ed in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4154:7#7 0x7fba7f in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:873:3#8 0x7facfa in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:749:7#9 0x7fa6c3 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:711:3#10 0x8cfbad in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool ()(void), void*, bool ()(Annot, void*), void*, bool) /src/poppler/poppler/Page.cc:596:10#11 0x6bc30f in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /src/poppler/glib/poppler-page.cc:355:15#12 0x6bc58b in poppler_page_render_for_printing /src/poppler/glib/poppler-page.cc:458:3#13 0x6a33e7 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:65:9#14 0x5a91d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15#15 0x594942 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6#16 0x59a5e6 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9#17 0x5c3af2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10#18 0x7f698d26bb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)SUMMARY: AddressSanitizer: heap-buffer-overflow /src/cairo/_builddir/../src/cairoint.h:257:48 in get_unaligned_be32Shadow bytes around the buggy address:0x0c087fff9350: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd0x0c087fff9360: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd0x0c087fff9370: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd0x0c087fff9380: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd0x0c087fff9390: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd=>0x0c087fff93a0: fa fa 00 00 00 00[02]fa fa fa 00 00 00 00 00 fa0x0c087fff93b0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 00 fa0x0c087fff93c0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 000x0c087fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c087fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c087fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc==445393==ABORTING-----------------------------------------------------------------------------------==445397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000001ad2 at pc 0x00000124ec6a bp 0x7ffd6245f1e0 sp 0x7ffd6245f1d8READ of size 1 at 0x612000001ad2 thread T0#0 0x124ec69 in get_unaligned_be32 /src/cairo/_builddir/../src/cairoint.h:257:60#1 0x124f02a in _jbig2_get_next_segment /src/cairo/_builddir/../src/cairo-image-info.c:351:13#2 0x124ede6 in _cairo_image_info_get_jbig2_info /src/cairo/_builddir/../src/cairo-image-info.c:412:6#3 0x11f12d3 in _cairo_pdf_surface_emit_jbig2_image /src/cairo/_builddir/../src/cairo-pdf-surface.c:3219:14#4 0x11e2572 in _cairo_pdf_surface_emit_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:3744:11#5 0x11e7e65 in _cairo_pdf_surface_add_source_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:1735:14#6 0x11e5d51 in _cairo_pdf_surface_paint_surface_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5023:11#7 0x11e5418 in _cairo_pdf_surface_paint_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5166:9#8 0x11db7cc in _cairo_pdf_surface_paint /src/cairo/_builddir/../src/cairo-pdf-surface.c:7988:11#9 0x11a6f6c in _cairo_surface_paint /src/cairo/_builddir/../src/cairo-surface.c:2199:14#10 0x11a12d7 in _cairo_surface_wrapper_paint /src/cairo/_builddir/../src/cairo-surface-wrapper.c:162:14#11 0x11817de in _cairo_recording_surface_replay_internal /src/cairo/_builddir/../src/cairo-recording-surface.c:1862:15#12 0x11834f0 in _cairo_recording_surface_replay_region /src/cairo/_builddir/../src/cairo-recording-surface.c:2235:12#13 0x126ea1c in _paint_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:469:11#14 0x126d9be in _cairo_paginated_surface_show_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:583:14#15 0x11acadf in cairo_surface_show_page /src/cairo/_builddir/../src/cairo-surface.c:2506:40#16 0x6a33f0 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:66:9#17 0x5a91d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15#18 0x594942 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6#19 0x59a5e6 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9#20 0x5c3af2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10#21 0x7f5fabdd9b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)#22 0x5707f9 in _start (/root/oss-fuzz/build/out/poppler/pdf_draw_fuzzer+0x5707f9)0x612000001ad2 is located 0 bytes to the right of 274-byte region [0x6120000019c0,0x612000001ad2)allocated by thread T0 here:#0 0x66fefd in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3#1 0x6ecc9b in gmalloc(unsigned long, bool) /src/poppler/goo/gmem.h:41:17#2 0x6f6bca in CairoOutputDev::getStreamData(Stream*, char**, int*) /src/poppler/poppler/CairoOutputDev.cc:2872:23#3 0x6f6888 in CairoOutputDev::setMimeData(GfxState*, Stream*, Object*, GfxImageColorMap*, _cairo_surface*, int) /src/poppler/poppler/CairoOutputDev.cc:3063:7#4 0x6f7a36 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/CairoOutputDev.cc:3311:7#5 0x81495e in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4583:7#6 0x7eb0ed in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4154:7#7 0x7fba7f in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:873:3#8 0x7facfa in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:749:7#9 0x7fa6c3 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:711:3#10 0x8cfbad in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool ()(void), void*, bool ()(Annot, void*), void*, bool) /src/poppler/poppler/Page.cc:596:10#11 0x6bc30f in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /src/poppler/glib/poppler-page.cc:355:15#12 0x6bc58b in poppler_page_render_for_printing /src/poppler/glib/poppler-page.cc:458:3#13 0x6a33e7 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:65:9#14 0x5a91d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15#15 0x594942 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6#16 0x59a5e6 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9#17 0x5c3af2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10#18 0x7f5fabdd9b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)SUMMARY: AddressSanitizer: heap-buffer-overflow /src/cairo/_builddir/../src/cairoint.h:257:60 in get_unaligned_be32Shadow bytes around the buggy address:0x0c247fff8300: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd0x0c247fff8310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c247fff8320: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa0x0c247fff8330: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 000x0c247fff8340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x0c247fff8350: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa0x0c247fff8360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 000x0c247fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c247fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa0x0c247fff8390: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 000x0c247fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc==445397==ABORTING
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/cc0547b8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fusiontest-testcase-pdf_draw_fuzzer-202110250015
Type: application/octet-stream
Size: 1024 bytes
Desc: not available
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/cc0547b8/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fusiontest-testcase-pdf_draw_fuzzer-202110250016
Type: application/octet-stream
Size: 4875 bytes
Desc: not available
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/cc0547b8/attachment-0003.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/cc0547b8/attachment-0001.ksh>
More information about the cairo
mailing list