Bug 702253: Avoid a use-after-free in fz_drop_band_writer #14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A use-after-free would occur when a valid page was followed by a page with invalid pixmap dimensions, causing bander -- a static -- to point to previously freed memory instead of a new band_writer.
|
Committed: 96751b2 |
GerHobbelt
pushed a commit
to GerHobbelt/mupdf
that referenced
this pull request
Dec 9, 2022
$ ./build/sanitize/mutool draw -Dst ./x/tiff/segfault/goat.tiff
page ./x/tiff/segfault/goat.tiff 1AddressSanitizer:DEADLYSIGNAL
=================================================================
==3377970==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x55dfed459a1b bp 0x7ffecf93ebc0 sp 0x7ffecf93eac0 T0)
==3377970==The signal is caused by a READ memory access.
==3377970==Hint: address points to the zero page.
#0 0x55dfed459a1b in fz_convert_pixmap_samples source/fitz/colorspace.c:1421
#1 0x55dfed57bad0 in fz_convert_pixmap source/fitz/pixmap.c:1065
#2 0x55dfed481194 in convert_pixmap_for_painting source/fitz/draw-device.c:1682
ArtifexSoftware#3 0x55dfed482e2c in fz_draw_fill_image source/fitz/draw-device.c:1852
ArtifexSoftware#4 0x55dfed461d34 in fz_fill_image source/fitz/device.c:351
ArtifexSoftware#5 0x55dfed7841a0 in img_run_page source/cbz/muimg.c:105
ArtifexSoftware#6 0x55dfed466fe9 in fz_run_page_contents source/fitz/document.c:642
ArtifexSoftware#7 0x55dfed467358 in fz_run_page source/fitz/document.c:692
ArtifexSoftware#8 0x55dfed3ebbc9 in drawband source/tools/mudraw.c:624
ArtifexSoftware#9 0x55dfed3f0e91 in dodrawpage source/tools/mudraw.c:1125
ArtifexSoftware#10 0x55dfed3f32c1 in drawpage source/tools/mudraw.c:1460
ArtifexSoftware#11 0x55dfed3f3716 in drawrange source/tools/mudraw.c:1499
ArtifexSoftware#12 0x55dfed3f8fcf in mudraw_main source/tools/mudraw.c:2501
ArtifexSoftware#13 0x55dfed3e9736 in main source/tools/mutool.c:152
ArtifexSoftware#14 0x7fae19829209 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
ArtifexSoftware#15 0x7fae198292bb in __libc_start_main_impl ../csu/libc-start.c:389
ArtifexSoftware#16 0x55dfed3e8f60 in _start (/home/sebras/src/mupdf/build/sanitize/mutool+0x21bf60)
FelixEngl
pushed a commit
to FelixEngl/mupdf
that referenced
this pull request
Sep 8, 2024
* build: make build flags features * build: use pkg-config crate for more robust library handling * build: revert to inverse handling of HAVE_* flags * build: remove useless features
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A use-after-free would occur when a valid page was followed by
a page with invalid pixmap dimensions, causing bander --
a static -- to point to previously freed memory instead of a new
band_writer.