search

HexHive / magma

A ground-truth fuzzing benchmark suite based on real programs with real bugs.
https://hexhive.epfl.ch/magma
289 stars 84 forks source link

a heap-use-after-free found in poppler #168

Closed flyfish101 closed 6 months ago

flyfish101 commented 7 months ago

It is detected by my custom fuzzer. Maybe it should be fixed in magma.

poc.zip


./pdftoppm -mono -cropbox ./poc
Syntax Warning: Illegal entry in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
=================================================================
==2238967==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000001960 at pc 0x000000b70768 bp 0x7fffffffabc0 sp 0x7fffffffabb8
READ of size 4 at 0x604000001960 thread T0
    #0 0xb70767 in Splash::pipeSetXY(SplashPipe*, int, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:1193:21
    #1 0xb6bdac in Splash::pipeInit(SplashPipe*, int, int, SplashPattern*, unsigned char*, unsigned char, bool, bool, bool, unsigned char) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:207:5
    #2 0xb7ddda in Splash::fillWithPattern(SplashPath*, bool, SplashPattern*, double) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:2394:9
    #3 0xb84d7e in Splash::fill(SplashPath*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:2278:12
    #4 0xae196c in SplashOutputDev::fill(GfxState*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/SplashOutputDev.cc:2110:13
    #5 0x7fcba4 in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3304:14
    #6 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #7 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #8 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #9 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #10 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #11 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #12 0x7f41d9 in Gfx::doGouraudTriangleShFill(GfxGouraudTriangleShading*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3261:13
    #13 0x80af95 in Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:2318:9
    #14 0x82334a in Gfx::doPatternFill(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1898:9
    #15 0x7d1ba9 in Gfx::opFill(Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1758:17
    #16 0x812b91 in Gfx::execOp(Object*, Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:804:5
    #17 0x810ce5 in Gfx::go(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:681:13
    #18 0x80f32c in Gfx::display(Object*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:642:5
    #19 0x70b87e in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:576:14
    #20 0x6ce84b in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/PDFDoc.cc:662:24
    #21 0x5f368f in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:288:10
    #22 0x5f10d9 in main /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:684:9
    #23 0x7ffff7793082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #24 0x47ccbd in _start (/home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/out_PDF006_pure/pdftoppm+0x47ccbd)

0x604000001960 is located 16 bytes inside of 48-byte region [0x604000001950,0x604000001980)
freed by thread T0 here:
    #0 0x572437 in operator delete(void*) /home/fuzz/Desktop/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:152:3
    #1 0xbbd409 in Splash::gouraudTriangleShadedFill(SplashGouraudColor*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:5470:17
    #2 0xae9e2a in SplashOutputDev::gouraudTriangleShadedFill(GfxState*, GfxGouraudTriangleShading*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/SplashOutputDev.cc:4418:33
    #3 0x7f38d2 in Gfx::doGouraudTriangleShFill(GfxGouraudTriangleShading*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3229:18
    #4 0x80af95 in Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:2318:9
    #5 0x82334a in Gfx::doPatternFill(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1898:9
    #6 0x7d1ba9 in Gfx::opFill(Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1758:17
    #7 0x812b91 in Gfx::execOp(Object*, Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:804:5
    #8 0x810ce5 in Gfx::go(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:681:13
    #9 0x80f32c in Gfx::display(Object*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:642:5
    #10 0x70b87e in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:576:14
    #11 0x6ce84b in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/PDFDoc.cc:662:24
    #12 0x5f368f in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:288:10
    #13 0x5f10d9 in main /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:684:9
    #14 0x7ffff7793082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x571a37 in operator new(unsigned long) /home/fuzz/Desktop/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
    #1 0xada3ce in SplashOutputDev::startPage(int, GfxState*, XRef*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/SplashOutputDev.cc:1350:18
    #2 0x838d76 in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle const*, PDFRectangle const*, int, bool (*)(void*), void*, XRef*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:480:10
    #3 0x70cb0e in Page::createGfx(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:550:15
    #4 0x70b803 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:571:11
    #5 0x6ce84b in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/PDFDoc.cc:662:24
    #6 0x5f368f in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:288:10
    #7 0x5f10d9 in main /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:684:9
    #8 0x7ffff7793082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:1193:21 in Splash::pipeSetXY(SplashPipe*, int, int)
Shadow bytes around the buggy address:
  0x0c087fff82d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff82e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff82f0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff8300: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff8310: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c087fff8320: fa fa fd fd fd fd fd fa fa fa fd fd[fd]fd fd fd
  0x0c087fff8330: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8340: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
  0x0c087fff8350: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
  0x0c087fff8360: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8370: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2238967==ABORTING
flyfish101 commented 6 months ago

CVE-2024-31635 has been assigned.