Heap-buffer-overflow WRITE 4 · cairo_cff_font_read_fdselect caused on poppler fuzzying
| ==172632==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000ab0 at pc 0x00000128f00e bp 0x7fffba210ca0 sp 0x7fffba210c98 | |
|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| WRITE of size 4 at 0x61e000000ab0 thread T0 |
| SCARINESS: 36 (4-byte-write-heap-buffer-overflow) |
| #0 0x128f00d in cairo_cff_font_read_fdselect cairo/src/cairo-cff-subset.c:995:35 |
| #1 0x128d740 in cairo_cff_font_read_top_dict cairo/src/cairo-cff-subset.c:1222:18 |
| #2 0x128c860 in cairo_cff_font_read_font cairo/src/cairo-cff-subset.c:1347:18 |
| #3 0x12879d6 in cairo_cff_font_generate cairo/src/cairo-cff-subset.c:2579:14 |
| #4 0x12869bc in _cairo_cff_subset_init cairo/src/cairo-cff-subset.c:2971:14 |
| #5 0x11be7ec in _cairo_pdf_surface_emit_cff_font_subset cairo/src/cairo-pdf-surface.c:5650:14 |
| #6 0x11be032 in _cairo_pdf_surface_emit_unscaled_font_subset cairo/src/cairo-pdf-surface.c:6365:14 |
| #7 0x12a0bb4 in _cairo_sub_font_collect cairo/src/cairo-scaled-font-subsets.c:741:30 |
| #8 0x129d74a in _cairo_scaled_font_subsets_foreach_internal cairo/src/cairo-scaled-font-subsets.c:1062:6 |
| #9 0x129da62 in _cairo_scaled_font_subsets_foreach_unscaled cairo/src/cairo-scaled-font-subsets.c:1090:12 |
| #10 0x11a77d0 in _cairo_pdf_surface_emit_font_subsets cairo/src/cairo-pdf-surface.c:6415:14 |
| #11 0x11a2510 in _cairo_pdf_surface_finish cairo/src/cairo-pdf-surface.c:2221:11 |
| #12 0x11712e8 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11 |
| #13 0x1170529 in cairo_surface_finish cairo/src/cairo-surface.c:1079:5 |
| #14 0x12318a2 in _cairo_paginated_surface_finish cairo/src/cairo-paginated-surface.c:214:2 |
| #15 0x11712e8 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11 |
| #16 0x116df65 in cairo_surface_destroy cairo/src/cairo-surface.c:970:2 |
| #17 0x689c86 in LLVMFuzzerTestOneInput poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5 |
| #18 0x58e501 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 |
| #19 0x578292 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 |
| #20 0x57e5d5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 |
| #21 0x5a8482 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 |
| #22 0x7f97991f382f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291 |
| #23 0x5531a8 in _start |
| |
| 0x61e000000ab0 is located 0 bytes to the right of 2608-byte region [0x61e000000080,0x61e000000ab0) |
| allocated by thread T0 here: |
| #0 0x656d22 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3 |
| #1 0x128ecfc in cairo_cff_font_read_fdselect cairo/src/cairo-cff-subset.c:976:22 |
| #2 0x128d740 in cairo_cff_font_read_top_dict cairo/src/cairo-cff-subset.c:1222:18 |
| #3 0x128c860 in cairo_cff_font_read_font cairo/src/cairo-cff-subset.c:1347:18 |
| #4 0x12879d6 in cairo_cff_font_generate cairo/src/cairo-cff-subset.c:2579:14 |
| #5 0x12869bc in _cairo_cff_subset_init cairo/src/cairo-cff-subset.c:2971:14 |
| #6 0x11be7ec in _cairo_pdf_surface_emit_cff_font_subset cairo/src/cairo-pdf-surface.c:5650:14 |
| #7 0x11be032 in _cairo_pdf_surface_emit_unscaled_font_subset cairo/src/cairo-pdf-surface.c:6365:14 |
| #8 0x12a0bb4 in _cairo_sub_font_collect cairo/src/cairo-scaled-font-subsets.c:741:30 |
| #9 0x129d74a in _cairo_scaled_font_subsets_foreach_internal cairo/src/cairo-scaled-font-subsets.c:1062:6 |
| #10 0x129da62 in _cairo_scaled_font_subsets_foreach_unscaled cairo/src/cairo-scaled-font-subsets.c:1090:12 |
| #11 0x11a77d0 in _cairo_pdf_surface_emit_font_subsets cairo/src/cairo-pdf-surface.c:6415:14 |
| #12 0x11a2510 in _cairo_pdf_surface_finish cairo/src/cairo-pdf-surface.c:2221:11 |
| #13 0x11712e8 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11 |
| #14 0x1170529 in cairo_surface_finish cairo/src/cairo-surface.c:1079:5 |
| #15 0x12318a2 in _cairo_paginated_surface_finish cairo/src/cairo-paginated-surface.c:214:2 |
| #16 0x11712e8 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11 |
| #17 0x116df65 in cairo_surface_destroy cairo/src/cairo-surface.c:970:2 |
| #18 0x689c86 in LLVMFuzzerTestOneInput poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5 |
| #19 0x58e501 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 |
| #20 0x578292 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 |
| #21 0x57e5d5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 |
| #22 0x5a8482 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 |
| #23 0x7f97991f382f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291 |
Line numbers according to
Poppler: 0e6c3ff9bb4390d2b426a4cddbb638c19811055d
Cairo: cb3618f76d10c2e0cd1e6196ed79d4af4d7d5e44
Reproducible with this file clusterfuzz-testcase-minimized-pdf_draw_fuzzer-5975558253051904
This will be eventually publicly available at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28427
Please ask if you need help reproducing :)