heap-buffer-overflow in poppler_page_find_text_with_options
Hi!
I've been fuzzing your project and found heap-buffer-overflow in poppler_page_find_text_with_options.
In line 858 of poppler-page.cc you use text as first arg of g_utf8_to_ucs4_fast() without checking that text is valid UTF-8 str.
Exception occurs when opening crash-23a1f09c3261d49a770ec27633f2b8cb6bd299f1 file.
You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:
/out/find_text_fuzzer ./crash-23a1f09c3261d49a770ec27633f2b8cb6bd299f1
Libfuzzer's output:
`==192==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00000c73f at pc 0x000003aed580 bp 0x7ffe83817120 sp 0x7ffe83817118
READ of size 1 at 0x61d00000c73f thread T0
#0 0x3aed57f in g_utf8_to_ucs4_fast /src/libfuzzer/glib-2.73.1/_builddir/../glib/gutf8.c:773:30
#1 0x6a2727 in poppler_page_find_text_with_options /src/libfuzzer/poppler/glib/poppler-page.cc:858:12
#2 0x6a4d7e in poppler_page_find_text /src/libfuzzer/poppler/glib/poppler-page.cc:921:12
#3 0x5ed796 in LLVMFuzzerTestOneInput /src/libfuzzer/poppler/glib/tests/fuzzing/find_text_fuzzer.cc:34:9
#4 0x51a041 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#5 0x503f5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#6 0x509cab in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#7 0x533242 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7febc80920b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x4fe87d in _start (/out/find_text_fuzzer+0x4fe87d)
0x61d00000c73f is located 0 bytes to the right of 2239-byte region [0x61d00000be80,0x61d00000c73f)
allocated by thread T0 here:
#0 0x5b41c2 in __interceptor_calloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
#1 0x5ed475 in LLVMFuzzerTestOneInput /src/libfuzzer/poppler/glib/tests/fuzzing/find_text_fuzzer.cc:25:19
#2 0x51a041 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#3 0x503f5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#4 0x509cab in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#5 0x533242 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#6 0x7febc80920b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libfuzzer/glib-2.73.1/_builddir/../glib/gutf8.c:773:30 in g_utf8_to_ucs4_fast
Shadow bytes around the buggy address:
0x0c3a7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff98d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff98e0: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
0x0c3a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==192==ABORTING`