Heap-buffer-overflow READ 8 · _cairo_pdf_surface_emit_type1_font caused on poppler fuzzying
==6070==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000002978 at pc 0x0000011c3f4f bp 0x7ffde89f16b0 sp 0x7ffde89f16a8
READ of size 8 at 0x608000002978 thread T0
SCARINESS: 23 (8-byte-read-heap-buffer-overflow)
#0 0x11c3f4e in _cairo_pdf_surface_emit_type1_font cairo/src/cairo-pdf-surface.c:5799:18
#1 0x11c00dc in _cairo_pdf_surface_emit_type1_font_subset cairo/src/cairo-pdf-surface.c:5847:14
#2 0x11be692 in _cairo_pdf_surface_emit_unscaled_font_subset cairo/src/cairo-pdf-surface.c:6373:14
#3 0x12a1254 in _cairo_sub_font_collect cairo/src/cairo-scaled-font-subsets.c:741:30
#4 0x129ddea in _cairo_scaled_font_subsets_foreach_internal cairo/src/cairo-scaled-font-subsets.c:1062:6
#5 0x129e102 in _cairo_scaled_font_subsets_foreach_unscaled cairo/src/cairo-scaled-font-subsets.c:1090:12
#6 0x11a7df0 in _cairo_pdf_surface_emit_font_subsets cairo/src/cairo-pdf-surface.c:6415:14
#7 0x11a2b30 in _cairo_pdf_surface_finish cairo/src/cairo-pdf-surface.c:2221:11
#8 0x1171918 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11
#9 0x1170b59 in cairo_surface_finish cairo/src/cairo-surface.c:1079:5
#10 0x1231ec2 in _cairo_paginated_surface_finish cairo/src/cairo-paginated-surface.c:214:2
#11 0x1171918 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11
#12 0x116e585 in cairo_surface_destroy cairo/src/cairo-surface.c:970:2
#13 0x689cc6 in LLVMFuzzerTestOneInput poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5
#14 0x58e541 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#15 0x5782d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#16 0x57e615 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#17 0x5a84c2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#18 0x7ff4a4e5e82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
#19 0x5531e8 in _start
0x608000002978 is located 0 bytes to the right of 88-byte region [0x608000002920,0x608000002978)
allocated by thread T0 here:
#0 0x656d62 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
#1 0x12b085c in _cairo_type1_subset_init cairo/src/cairo-type1-subset.c:1756:28
#2 0x11c00ac in _cairo_pdf_surface_emit_type1_font_subset cairo/src/cairo-pdf-surface.c:5843:14
#3 0x11be692 in _cairo_pdf_surface_emit_unscaled_font_subset cairo/src/cairo-pdf-surface.c:6373:14
#4 0x12a1254 in _cairo_sub_font_collect cairo/src/cairo-scaled-font-subsets.c:741:30
#5 0x129ddea in _cairo_scaled_font_subsets_foreach_internal cairo/src/cairo-scaled-font-subsets.c:1062:6
#6 0x129e102 in _cairo_scaled_font_subsets_foreach_unscaled cairo/src/cairo-scaled-font-subsets.c:1090:12
#7 0x11a7df0 in _cairo_pdf_surface_emit_font_subsets cairo/src/cairo-pdf-surface.c:6415:14
#8 0x11a2b30 in _cairo_pdf_surface_finish cairo/src/cairo-pdf-surface.c:2221:11
#9 0x1171918 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11
#10 0x1170b59 in cairo_surface_finish cairo/src/cairo-surface.c:1079:5
#11 0x1231ec2 in _cairo_paginated_surface_finish cairo/src/cairo-paginated-surface.c:214:2
#12 0x1171918 in _cairo_surface_finish cairo/src/cairo-surface.c:1030:11
#13 0x116e585 in cairo_surface_destroy cairo/src/cairo-surface.c:970:2
#14 0x689cc6 in LLVMFuzzerTestOneInput poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5
#15 0x58e541 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#16 0x5782d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#17 0x57e615 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#18 0x5a84c2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#19 0x7ff4a4e5e82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
Line numbers according to
Poppler: 3252bc323c814eb010df011024f06597755b4b7d
Cairo: 974791b4eede7f2ff774b56dd90234ed2cd70311
Reproducible with this file clusterfuzz-testcase-minimized-pdf_draw_fuzzer-6246912239599616
This will be eventually publicly available at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27999
Please ask if you need help reproducing :)