GNOME Bugzilla – Bug 788980
Multiple out of bound write and segfault
Last modified: 2017-12-22 02:59:38 UTC
Created attachment 361578 [details] poc Hey, my fuzzer found a pdf that crashes evince when reading in the pdf. No further action is required. Valgrind reports multiple "invalid write" as you can see below. The problem also exists in the preview, when evince is started without a pdf to read. Please see attached the pdf. ==17142== Invalid write of size 4 ==17142== at 0x1D175C8C: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa14c is 0 bytes after a block of size 603,992,332 alloc'd ==17142== at 0x4C2CE5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17142== by 0x20FEF0A4: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175C94: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa150 is 4 bytes after a block of size 603,992,332 alloc'd ==17142== at 0x4C2CE5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17142== by 0x20FEF0A4: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175C9C: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa154 is 8 bytes after a block of size 603,992,332 alloc'd ==17142== at 0x4C2CE5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17142== by 0x20FEF0A4: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175CA4: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa158 is 12 bytes after a block of size 603,992,332 alloc'd ==17142== at 0x4C2CE5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17142== by 0x20FEF0A4: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175CAC: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa15c is 16 bytes after a block of size 603,992,332 alloc'd ==17142== at 0x4C2CE5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17142== by 0x20FEF0A4: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175CB4: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa160 is 20 bytes after a block of size 603,992,332 alloc'd ==17142== at 0x4C2CE5F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17142== by 0x20FEF0A4: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175CBE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa164 is 603,992,356 bytes inside a block of size 603,996,064 in arena "client" ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175D50: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa168 is 603,992,360 bytes inside a block of size 603,996,064 in arena "client" ==17142== ==17142== Invalid write of size 4 ==17142== at 0x1D175C84: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== Address 0x461fa16c is 603,992,364 bytes inside a block of size 603,996,064 in arena "client" ==17142== TIFFFillStrip: Invalid strip byte count 0, strip 48104. ==17142== ==17142== Process terminating with default action of signal 11 (SIGSEGV) ==17142== Access not within mapped region at address 0x461FB000 ==17142== at 0x1D175C8C: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x1D17DF95: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.5.2.6) ==17142== by 0x20FEF103: ??? (in /usr/lib/evince/4/backends/libtiffdocument.so) ==17142== by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0) ==17142== by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0) ==17142== by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so) ==17142== by 0x7E931BE: clone (in /usr/lib/libc-2.26.so) ==17142== If you believe this happened as a result of a stack ==17142== overflow in your program's main thread (unlikely but ==17142== possible), you can try to increase the size of the ==17142== main thread stack using the --main-stacksize= flag. ==17142== The main thread stack size used in this run was 8388608. ==17142== ==17142== HEAP SUMMARY: ==17142== in use at exit: 618,127,297 bytes in 93,160 blocks ==17142== total heap usage: 495,867 allocs, 402,707 frees, 666,656,551 bytes allocated ==17142== ==17142== LEAK SUMMARY: ==17142== definitely lost: 7,856 bytes in 14 blocks ==17142== indirectly lost: 42,512 bytes in 1,803 blocks ==17142== possibly lost: 26,140 bytes in 89 blocks ==17142== still reachable: 616,817,229 bytes in 83,130 blocks ==17142== of which reachable via heuristic: ==17142== length64 : 16,912 bytes in 214 blocks ==17142== newarray : 2,656 bytes in 86 blocks ==17142== suppressed: 0 bytes in 0 blocks ==17142== Rerun with --leak-check=full to see details of leaked memory ==17142== ==17142== For counts of detected and suppressed errors, rerun with: -v ==17142== ERROR SUMMARY: 942 errors from 9 contexts (suppressed: 0 from 0)
==17142== Address 0x461fa154 is 8 bytes after a block of size 603,992,332 alloc'd Ouch! Anyway, all of these are in libtiff, so probably you should inform its developers, not the evince devs.
Created attachment 362503 [details] [review] Fix-overflow-check-in-tiff_document_render.patch (In reply to sebastian.feldmann.hb from comment #0) > my fuzzer found a pdf that crashes evince when reading in the pdf. No > further action is required. Valgrind reports multiple "invalid write" as you > can see below. I don't see these memory errors on Debian Sid. I think because libtiff is bailing early. I do however see an overflow check in evince's backend/tiff/tiff-document.c which isn't working when compiled with optimizations. Can you try out this patch and see if it fixes the memory errors?
Review of attachment 362503 [details] [review]: Thanks! Please, split the patch and push two different commits.
Created attachment 364877 [details] [review] Remove-unused-configure-check.patch Splitting into two. This patch removes the configure check for cairo_format_stride_for_width since it will always be available.
Created attachment 364878 [details] [review] Fix-overflow-checks-in-tiff-backend.patch This patch fixes the overflow checks. I added fixes for two more bad overflow checks in tiff_document_get_thumbnail.
Created attachment 364879 [details] [review] Fix-overflow-checks-in-tiff-backend.patch Attaching the correct patch this time. This fixes the overflow checks in the tiff backend.
The following fixes have been pushed: e6ed0d4 Remove unused configure check for cairo_format_stride_for_width e02fe91 Fix overflow checks in tiff backend
Created attachment 365865 [details] [review] Remove unused configure check for cairo_format_stride_for_width This function was introduced in cairo version 1.6. We already require version 1.10 so this function will always be available.
Created attachment 365866 [details] [review] Fix overflow checks in tiff backend The overflow checks in tiff_document_render and tiff_document_get_thumbnail don't work when optimizations are enabled. Change the checks so they don't rely on undefined behavior.