[cairo] bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring

Sun Jun 25 15:33:46 UTC 2023

when we do poppler fuzzer fusiontest-testcase-pdf_draw_fuzzer-202110250014，we find cairo have heap buffer overflow, and we put  bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch, and i think there need optimize of the patch.==445389==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000015a05 at pc 0x0000012d17a5 bp 0x7ffe4b558d70 sp 0x7ffe4b558d68READ of size 1 at 0x625000015a05 thread T0#0 0x12d17a4 in cairo_cff_parse_charstring /src/cairo/_builddir/../src/cairo-cff-subset.c:1519:13#1 0x12d0d00 in cairo_cff_parse_charstring /src/cairo/_builddir/../src/cairo-cff-subset.c#2 0x12cf6e2 in cairo_cff_find_width_and_subroutines_used /src/cairo/_builddir/../src/cairo-cff-subset.c:1689:14#3 0x12cd480 in cairo_cff_font_subset_charstrings_and_subroutines /src/cairo/_builddir/../src/cairo-cff-subset.c:1806:15#4 0x12c87eb in cairo_cff_font_subset_font /src/cairo/_builddir/../src/cairo-cff-subset.c:1987:14#5 0x12c395e in cairo_cff_font_generate /src/cairo/_builddir/../src/cairo-cff-subset.c:2600:14#6 0x12c284a in _cairo_cff_subset_init /src/cairo/_builddir/../src/cairo-cff-subset.c:2977:14#7 0x11f79dc in _cairo_pdf_surface_emit_cff_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:5939:14#8 0x11f7222 in _cairo_pdf_surface_emit_unscaled_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6654:14#9 0x12dcae4 in _cairo_sub_font_collect /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30#10 0x12d972a in _cairo_scaled_font_subsets_foreach_internal /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6#11 0x12d9a42 in _cairo_scaled_font_subsets_foreach_unscaled /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12#12 0x11e00a0 in _cairo_pdf_surface_emit_font_subsets /src/cairo/_builddir/../src/cairo-pdf-surface.c:6704:14#13 0x11da865 in _cairo_pdf_surface_finish /src/cairo/_builddir/../src/cairo-pdf-surface.c:2486:11#14 0x11a8568 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11#15 0x11a77b9 in cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1079:5#16 0x126d132 in _cairo_paginated_surface_finish /src/cairo/_builddir/../src/cairo-paginated-surface.c:214:2#17 0x11a8568 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11#18 0x11a5245 in cairo_surface_destroy /src/cairo/_builddir/../src/cairo-surface.c:970:2#19 0x6a3436 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5#20 0x5a91d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15#21 0x594942 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6#22 0x59a5e6 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9#23 0x5c3af2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10#24 0x7f7c9849db26 in __libc_start_main (/lib64/libc.so.6+0x25b26)#25 0x5707f9 in _start (/root/oss-fuzz/build/out/poppler/pdf_draw_fuzzer+0x5707f9)Address 0x625000015a05 is a wild pointer.SUMMARY: AddressSanitizer: heap-buffer-overflow /src/cairo/_builddir/../src/cairo-cff-subset.c:1519:13 in cairo_cff_parse_charstringShadow bytes around the buggy address:0x0c4a7fffaaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa=>0x0c4a7fffab40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c4a7fffab90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc==445389==ABORTING

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/05225960/attachment-0001.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bugfix-fix-heap-buffer-overflow-in-cairo_cff_parse_charstring.patch
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/05225960/attachment-0001.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fusiontest-testcase-pdf_draw_fuzzer-202110250014
Type: application/octet-stream
Size: 13829 bytes
Desc: not available
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/05225960/attachment-0001.obj>