I've run it. But I just checked that this crash doesn't happen.
Ilya Yegorov (303d11a9) at 14 Jul 16:05
fix clang format x3
Ilya Yegorov (cfae00b8) at 14 Jul 16:04
fix clang format x2
Ilya Yegorov (febba289) at 14 Jul 16:01
fix clang format
I created a pull request for this fix. !1221
Hi!
That's fix of find_text_fuzzer.cc
discussed in this issue
#1269 (comment 1468163)
Ilya Yegorov (fa8741a1) at 14 Jul 15:52
fix find_text_fuzzer.cc
Ilya Yegorov (7f6437d1) at 14 Jul 15:49
Ilya Yegorov (7f6437d1) at 14 Jul 14:06
fix find_text_fuzzer.cc
Ilya Yegorov (bb165133) at 14 Jul 14:04
Ilya Yegorov (f267b180) at 14 Jul 14:02
Ilya Yegorov (f267b180) at 14 Jul 13:59
fix call g_utf8_validate()
Ilya Yegorov (9280b8f7) at 14 Jul 13:16
fix find_text_fuzzer.cc
Ilya Yegorov (bb165133) at 14 Jul 12:58
What function we can use in fuzz target find_text_fuzzer.cc
to check that str
is valid UTF-8?
Hi!
I've been fuzzing your project and found heap-buffer-overflow in poppler_page_find_text_with_options
.
In line 858 of poppler-page.cc
you use text
as first arg of g_utf8_to_ucs4_fast()
without checking that text
is valid UTF-8 str.
Exception occurs when opening crash-23a1f09c3261d49a770ec27633f2b8cb6bd299f1 file.
You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:
/out/find_text_fuzzer ./crash-23a1f09c3261d49a770ec27633f2b8cb6bd299f1
Libfuzzer's output:
`==192==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00000c73f at pc 0x000003aed580 bp 0x7ffe83817120 sp 0x7ffe83817118
READ of size 1 at 0x61d00000c73f thread T0
#0 0x3aed57f in g_utf8_to_ucs4_fast /src/libfuzzer/glib-2.73.1/_builddir/../glib/gutf8.c:773:30
#1 0x6a2727 in poppler_page_find_text_with_options /src/libfuzzer/poppler/glib/poppler-page.cc:858:12
#2 0x6a4d7e in poppler_page_find_text /src/libfuzzer/poppler/glib/poppler-page.cc:921:12
#3 0x5ed796 in LLVMFuzzerTestOneInput /src/libfuzzer/poppler/glib/tests/fuzzing/find_text_fuzzer.cc:34:9
#4 0x51a041 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#5 0x503f5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#6 0x509cab in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#7 0x533242 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7febc80920b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x4fe87d in _start (/out/find_text_fuzzer+0x4fe87d)
0x61d00000c73f is located 0 bytes to the right of 2239-byte region [0x61d00000be80,0x61d00000c73f)
allocated by thread T0 here:
#0 0x5b41c2 in __interceptor_calloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
#1 0x5ed475 in LLVMFuzzerTestOneInput /src/libfuzzer/poppler/glib/tests/fuzzing/find_text_fuzzer.cc:25:19
#2 0x51a041 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#3 0x503f5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#4 0x509cab in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#5 0x533242 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#6 0x7febc80920b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libfuzzer/glib-2.73.1/_builddir/../glib/gutf8.c:773:30 in g_utf8_to_ucs4_fast
Shadow bytes around the buggy address:
0x0c3a7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff98e0: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
0x0c3a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==192==ABORTING
`
Hi! I've been fuzzing your project and found heap-buffer-overflow in find_name.
In loop in line 1457 of cairo-truetype-subset.c when i = 422 record has 0x6220000014ce address, but allocated region is only [0x622000000100,0x6220000014cc)
Exception occurs when opening crash-10cf2914e8157909e40e91375cab0ffe0cd87e14 file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:
`/out/annot_fuzzer ./crash-10cf2914e8157909e40e91375cab0ffe0cd87e14`
Libfuzzer's output:
`==31==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6220000014d4 at pc 0x00000458abeb bp 0x7ffd4545b1c0 sp 0x7ffd4545b1b8
READ of size 2 at 0x6220000014d4 thread T0
#0 0x458abea in find_name /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1457:27
#1 0x4589e6c in _cairo_truetype_read_font_name /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1588:14
#2 0x4594fb8 in _cairo_truetype_font_create /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:241:14
#3 0x457bdea in cairo_truetype_subset_init_internal /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1147:14
#4 0x4582849 in _cairo_truetype_subset_init_pdf /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1255:12
#5 0x3fa3e26 in _cairo_pdf_surface_emit_truetype_font_subset /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:6220:14
#6 0x3fa180f in _cairo_pdf_surface_emit_unscaled_font_subset /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:6694:14
#7 0x45790a9 in _cairo_sub_font_collect /src/libfuzzer/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30
#8 0x45668ea in _cairo_scaled_font_subsets_foreach_internal /src/libfuzzer/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6
#9 0x4566e11 in _cairo_scaled_font_subsets_foreach_unscaled /src/libfuzzer/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12
#10 0x3f1b359 in _cairo_pdf_surface_emit_font_subsets /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:6740:14
#11 0x3f03d5d in _cairo_pdf_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:2501:11
#12 0x3dd180a in _cairo_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:1030:11
#13 0x3dccd55 in cairo_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:1079:5
#14 0x42ab5d5 in _cairo_paginated_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-paginated-surface.c:214:2
#15 0x3dd180a in _cairo_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:1030:11
#16 0x3dbf970 in cairo_surface_destroy /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:970:2
#17 0x5ed9e1 in LLVMFuzzerTestOneInput /src/libfuzzer/poppler/glib/tests/fuzzing/annot_fuzzer.cc:73:5
#18 0x51a051 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#19 0x503f6c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#20 0x509cbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#21 0x533252 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#22 0x7f8ada8250b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#23 0x4fe88d in _start (/out/annot_fuzzer+0x4fe88d)
0x6220000014d4 is located 8 bytes to the right of 5068-byte region [0x622000000100,0x6220000014cc)
allocated by thread T0 here:
#0 0x5b405d in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x45898b3 in _cairo_truetype_read_font_name /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1575:12
#2 0x4594fb8 in _cairo_truetype_font_create /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:241:14
#3 0x457bdea in cairo_truetype_subset_init_internal /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1147:14
#4 0x4582849 in _cairo_truetype_subset_init_pdf /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1255:12
#5 0x3fa3e26 in _cairo_pdf_surface_emit_truetype_font_subset /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:6220:14
#6 0x3fa180f in _cairo_pdf_surface_emit_unscaled_font_subset /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:6694:14
#7 0x45790a9 in _cairo_sub_font_collect /src/libfuzzer/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30
#8 0x45668ea in _cairo_scaled_font_subsets_foreach_internal /src/libfuzzer/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6
#9 0x4566e11 in _cairo_scaled_font_subsets_foreach_unscaled /src/libfuzzer/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12
#10 0x3f1b359 in _cairo_pdf_surface_emit_font_subsets /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:6740:14
#11 0x3f03d5d in _cairo_pdf_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-pdf-surface.c:2501:11
#12 0x3dd180a in _cairo_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:1030:11
#13 0x3dccd55 in cairo_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:1079:5
#14 0x42ab5d5 in _cairo_paginated_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-paginated-surface.c:214:2
#15 0x3dd180a in _cairo_surface_finish /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:1030:11
#16 0x3dbf970 in cairo_surface_destroy /src/libfuzzer/cairo/_builddir/../src/cairo-surface.c:970:2
#17 0x5ed9e1 in LLVMFuzzerTestOneInput /src/libfuzzer/poppler/glib/tests/fuzzing/annot_fuzzer.cc:73:5
#18 0x51a051 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#19 0x503f6c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#20 0x509cbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#21 0x533252 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#22 0x7f8ada8250b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libfuzzer/cairo/_builddir/../src/cairo-truetype-subset.c:1457:27 in find_name
Shadow bytes around the buggy address:
0x0c447fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c447fff8290: 00 00 00 00 00 00 00 00 00 04[fa]fa fa fa fa fa
0x0c447fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31==ABORTING
`
Hi!
I've been fuzzing your project and found integer overflow in readPatternDictSeg.
In the line 2505 of JBIG2Stream.cc you use (grayMax + 1) * patternW
as second arg of readPatternDictSeg without integer overflow check.
Exception occurs when opening sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:
`/out/page_label_fuzzer ./sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed`
Libfuzzer's output:
`INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1759908738
INFO: Loaded 1 modules (851926 inline 8-bit counters): 851926 [0x60afae8, 0x617fabe),
INFO: Loaded 1 PC tables (851926 PCs): 851926 [0x617fac0,0x6e7f820),
/out/page_label_fuzzer: Running 1 inputs 1 time(s) each.
Running: /fuzz/page_label-out/security-verified/sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed
/src/libfuzzer/poppler/poppler/NameToCharCode.cc:129:16: runtime error: unsigned integer overflow: 17 * 2686153882 cannot be represented in type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/NameToCharCode.cc:129:16 in
/src/libfuzzer/poppler/poppler/PDFDoc.cc:364:21: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/PDFDoc.cc:364:21 in
/src/libfuzzer/poppler/poppler/PDFDoc.cc:2000:30: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/PDFDoc.cc:2000:30 in
/src/libfuzzer/poppler/poppler/Lexer.cc:587:20: runtime error: implicit conversion from type 'int' of value 254 (32-bit, signed) to type 'char' changed the value to -2 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/Lexer.cc:587:20 in
/src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:51: runtime error: unsigned integer overflow: 1431663872 * 3 cannot be represented in type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:51 in
/src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:113: runtime error: implicit conversion from type 'unsigned int' of value 2155905145 (32-bit, unsigned) to type 'int' changed the value to -2139062151 (32-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:113 in
Bogus memory allocation size
/src/libfuzzer/poppler/poppler/Stream.cc:143:18: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/Stream.cc:143:18 in
/src/libfuzzer/poppler/poppler/PDFDoc.cc:1966:26: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/PDFDoc.cc:1966:26 in
Bogus memory allocation size
Executed /fuzz/page_label-out/security-verified/sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed in 24 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***`