Heap-buffer-overflow READ 4 · cairo_cff_parse_charstring caused on poppler fuzzying
==275242==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000026e30 at pc 0x00000128b3fe bp 0x7ffca5eabc90 sp 0x7ffca5eabc88
READ of size 4 at 0x602000026e30 thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
#0 0x128b3fd in cairo_cff_parse_charstring cairo/src/cairo-cff-subset.c:1608:23
#1 0x128a9e4 in cairo_cff_parse_charstring cairo/src/cairo-cff-subset.c:1636:17
#2 0x128a9e4 in cairo_cff_parse_charstring cairo/src/cairo-cff-subset.c:1636:17
#3 0x12894e2 in cairo_cff_find_width_and_subroutines_used cairo/src/cairo-cff-subset.c:1681:14
#4 0x12872a0 in cairo_cff_font_subset_charstrings_and_subroutines cairo/src/cairo-cff-subset.c:1798:15
#5 0x128263b in cairo_cff_font_subset_font cairo/src/cairo-cff-subset.c:1979:14
#6 0x127d78e in cairo_cff_font_generate cairo/src/cairo-cff-subset.c:2592:14
#7 0x127c69c in _cairo_cff_subset_init cairo/src/cairo-cff-subset.c:2969:14
#8 0x11b44cc in _cairo_pdf_surface_emit_cff_font_subset cairo/src/cairo-pdf-surface.c:5650:14
#9 0x11b3d12 in _cairo_pdf_surface_emit_unscaled_font_subset cairo/src/cairo-pdf-surface.c:6365:14
#10 0x1296864 in _cairo_sub_font_collect cairo/src/cairo-scaled-font-subsets.c:741:30
#11 0x12933fa in _cairo_scaled_font_subsets_foreach_internal cairo/src/cairo-scaled-font-subsets.c:1062:6
#12 0x1293712 in _cairo_scaled_font_subsets_foreach_unscaled cairo/src/cairo-scaled-font-subsets.c:1090:12
#13 0x119d4b0 in _cairo_pdf_surface_emit_font_subsets cairo/src/cairo-pdf-surface.c:6415:14
#14 0x11981f0 in _cairo_pdf_surface_finish cairo/src/cairo-pdf-surface.c:2221:11
#15 0x1166fd8 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11
#16 0x1166219 in cairo_surface_finish cairo/src/cairo-surface.c:1079:5
#17 0x1227582 in _cairo_paginated_surface_finish cairo/src/cairo-paginated-surface.c:214:2
#18 0x1166fd8 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11
#19 0x1163c55 in cairo_surface_destroy cairo/src/cairo-surface.c:970:2
#20 0x687566 in LLVMFuzzerTestOneInput poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5
Line numbers according to
Poppler: 407293bfb9108c9d9e2611a294b389ed9c593900
Cairo: 7b258a2fb844059ef3f0b237d06311cf3efd8aba
Reproducible with this file clusterfuzz-testcase-minimized-pdf_draw_fuzzer-4894422240198656
This will be eventually publicly available at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28476
Please ask if you need help reproducing :)