Menu
▾
▴
1 Attachments
#307 DJVU::GSetBase::hashnode@GContainer.cpp:665-10___heap-use-after-free
djvu
version
djvu Commit-6630c7
description
DjVu is a web-centric format for distributing documents and images. DjVu was created at AT&T Labs-Research and later sold to LizardTech Inc. DjVuLibre is a GPL implementation of DjVu maintained by the original inventors of DjVu.
download link
https://sourceforge.net/p/djvu/djvulibre-git/ci/master/tree/
others
please send email to teamseri0us360@gmail.com if you have any questions.
DJVU::GSetBase::hashnode@GContainer.cpp:665-10___heap-use-after-free
description
An issue was discovered in djvu Commit-6630c7, There is a heap-use-after-free in function DJVU::GSetBase::hashnode at GContainer.cpp:665-10
commandline
ddjvu --format=pbm @@
source
661 GCONT HNode *
662 GSetBase::hashnode(unsigned int hashcode) const
663 {
664 int bucket = hashcode % nbuckets;
> 665 return table[bucket];
666 }
667
668 GCONT HNode *
669 GSetBase::installnode(HNode *n)
670 {
bug report
ddjvu: Cannot decode document.
=================================================================
==788==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000001318 at pc 0x7f557e7a0bda bp 0x7f5579f07ed0 sp 0x7f5579f07ec8
READ of size 8 at 0x60d000001318 thread T1
#0 0x7f557e7a0bd9 in DJVU::GSetBase::hashnode(unsigned int) const /src/djvu/libdjvu/GContainer.cpp:665:10
#1 0x7f557e83a1f0 in DJVU::GSetImpl<DJVU::GUTF8String>::get(DJVU::GUTF8String const&) const /src/djvu/libdjvu/./GContainer.h:1142:25
#2 0x7f557e83a1f0 in DJVU::GSetImpl<DJVU::GUTF8String>::contains(DJVU::GUTF8String const&) const /src/djvu/libdjvu/./GContainer.h:1121
#3 0x7f557e83a1f0 in DJVU::GMapTemplate<DJVU::GUTF8String, DJVU::GUTF8String, DJVU::GUTF8String>::contains(DJVU::GUTF8String const&) const /src/djvu/libdjvu/./GContainer.h:1250
#4 0x7f557e83a1f0 in DJVU::GUTF8String::fromEscaped(DJVU::GMap<DJVU::GUTF8String, DJVU::GUTF8String>) const /src/djvu/libdjvu/GString.cpp:1529
#5 0x7f557e83d0cd in DJVU::GUTF8String::fromEscaped() const /src/djvu/libdjvu/GString.cpp:1558:10
#6 0x7f557e700772 in DJVU::DjVuMessageLite::LookUpID(DJVU::GUTF8String const&, DJVU::GUTF8String&, DJVU::GUTF8String&) const /src/djvu/libdjvu/DjVuMessageLite.cpp:329:24
#7 0x7f557e6fe219 in DJVU::DjVuMessageLite::LookUpSingle(DJVU::GUTF8String const&) const /src/djvu/libdjvu/DjVuMessageLite.cpp:245:3
#8 0x7f557e6fd4f2 in DJVU::DjVuMessageLite::LookUp(DJVU::GUTF8String const&) const /src/djvu/libdjvu/DjVuMessageLite.cpp:217:17
#9 0x7f557e954c66 in DJVU::DjVuMessageLite::LookUpUTF8(DJVU::GUTF8String const&) /src/djvu/libdjvu/./DjVuMessageLite.h:179:12
#10 0x7f557e954c66 in msg_prep_error(DJVU::GUTF8String, char const*, char const*, int) /src/djvu/libdjvu/ddjvuapi.cpp:455
#11 0x7f557e95b114 in DJVU::ddjvu_document_s::notify_error(DJVU::DjVuPort const*, DJVU::GUTF8String const&) /src/djvu/libdjvu/ddjvuapi.cpp:823:38
#12 0x7f557e72a3dd in DJVU::DjVuPortcaster::notify_error(DJVU::DjVuPort const*, DJVU::GUTF8String const&) /src/djvu/libdjvu/DjVuPort.cpp:535:10
#13 0x7f557e62d94d in DJVU::DjVuDocument::static_init_thread(void*) /src/djvu/libdjvu/DjVuDocument.cpp:299:9
#14 0x7f557e8544fc in DJVU::GThread::start(void*) /src/djvu/libdjvu/GThreads.cpp:392:11
#15 0x7f557e0186b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#16 0x7f557d0a141c in clone /build/glibc-LK5gWL/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
0x60d000001318 is located 40 bytes inside of 136-byte region [0x60d0000012f0,0x60d000001378)
freed by thread T0 here:
#0 0x4ec3a0 in operator delete(void*) (/src/aflbuild/installed/bin/ddjvu+0x4ec3a0)
#1 0x7f557cfd3ff7 in __run_exit_handlers /build/glibc-LK5gWL/glibc-2.23/stdlib/exit.c:82
previously allocated by thread T0 here:
#0 0x4ebda0 in operator new(unsigned long) (/src/aflbuild/installed/bin/ddjvu+0x4ebda0)
#1 0x7f557e81ad14 in DJVU::GPBufferBase::GPBufferBase(void*&, unsigned long, unsigned long) /src/djvu/libdjvu/GSmartPointer.cpp:155:12
#2 0x7f557e81ad14 in DJVU::GPBufferBase::resize(unsigned long, unsigned long) /src/djvu/libdjvu/GSmartPointer.cpp:187
Thread T1 created by T0 here:
#0 0x42cbe9 in pthread_create (/src/aflbuild/installed/bin/ddjvu+0x42cbe9)
#1 0x7f557e854c0a in DJVU::GThread::create(void (*)(void*), void*) /src/djvu/libdjvu/GThreads.cpp:440:13
#2 0x7f557e62b6a4 in DJVU::DjVuDocument::start_init(DJVU::GURL const&, DJVU::GP<DJVU::DjVuPort>, DJVU::DjVuFileCache*) /src/djvu/libdjvu/DjVuDocument.cpp:208:4
#3 0x7f557e963492 in ddjvu_document_create_by_filename_imp(DJVU::ddjvu_context_s*, char const*, int, int) /src/djvu/libdjvu/ddjvuapi.cpp:1027:7
#4 0x4f6c47 in main /src/djvu/tools/ddjvu.cpp:1205:16
SUMMARY: AddressSanitizer: heap-use-after-free /src/djvu/libdjvu/GContainer.cpp:665:10 in DJVU::GSetBase::hashnode(unsigned int) const
Shadow bytes around the buggy address:
0x0c1a7fff8210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff8220: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1a7fff8230: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1a7fff8240: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff8250: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
=>0x0c1a7fff8260: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1a7fff8270: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1a7fff8280: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1a7fff8290: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff82a0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1a7fff82b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==788==ABORTING
others
from fuzz project pwd-djvu-ddjvu-00
crash name pwd-djvu-ddjvu-00-00000002-20190928.djvu
Auto-generated by pyspider at 2019-09-28 08:01:09
please send email to teamseri0us360@gmail.com if you have any questions.
Related
Dear teamseri0us360:
Your bug reports #307 to #312 are potentially interesting.
However it is impossible to replicate them using the information you give.
The command lines contain a mysterious @@ argument where a filename would be expected.
What was in this file?
From: pwd pwd@users.sourceforge.net
Reply-To: "Ticket #307: DJVU::GSetBase::hashnode@GContainer.cpp:665-10heap-use-after-free" 307@bugs.djvu.p.re.sourceforge.net
Date: Tuesday, October 8, 2019 at 11:57 PM
To: "Ticket #307: DJVU::GSetBase::hashnode@GContainer.cpp:665-10heap-use-after-free" 307@bugs.djvu.p.re.sourceforge.net
Subject: [djvu:bugs] #307 DJVU::GSetBase::hashnode@GContainer.cpp:665-10___heap-use-after-free
[bugs:#307] DJVU::GSetBase::hashnode@GContainer.cpp:665-10___heap-use-after-free
Status: open
Group: djvulibre
Created: Wed Oct 09, 2019 03:56 AM UTC by pwd
Last Updated: Wed Oct 09, 2019 03:56 AM UTC
Owner: nobody
Attachments:
DJVU__GSetBase__hashnode@GContainer.cpp_665-10heap-use-after-free (4.3 kB; application/octet-stream)
djvu
version
djvu Commit-6630c7
description
DjVu is a web-centric format for distributing documents and images. DjVu was created at AT&T Labs-Research and later sold to LizardTech Inc. DjVuLibre is a GPL implementation of DjVu maintained by the original inventors of DjVu.
download link
https://sourceforge.net/p/djvu/djvulibre-git/ci/master/tree/
others
please send email to teamseri0us360@gmail.com if you have any questions.
DJVU::GSetBase::hashnode@GContainer.cpp:665-10heap-use-after-free
description
An issue was discovered in djvu Commit-6630c7, There is a heap-use-after-free in function DJVU::GSetBase::hashnode at GContainer.cpp:665-10
commandline
ddjvu --format=pbm @@
source
661 GCONT HNode *
662 GSetBase::hashnode(unsigned int hashcode) const
663 {
664 int bucket = hashcode % nbuckets;
0x60d000001318 is located 40 bytes inside of 136-byte region [0x60d0000012f0,0x60d000001378)
freed by thread T0 here:
#0 0x4ec3a0 in operator delete(void*) (/src/aflbuild/installed/bin/ddjvu+0x4ec3a0)
#1 0x7f557cfd3ff7 in __run_exit_handlers /build/glibc-LK5gWL/glibc-2.23/stdlib/exit.c:82
previously allocated by thread T0 here:
#0 0x4ebda0 in operator new(unsigned long) (/src/aflbuild/installed/bin/ddjvu+0x4ebda0)
#1 0x7f557e81ad14 in DJVU::GPBufferBase::GPBufferBase(void*&, unsigned long, unsigned long) /src/djvu/libdjvu/GSmartPointer.cpp:155:12
#2 0x7f557e81ad14 in DJVU::GPBufferBase::resize(unsigned long, unsigned long) /src/djvu/libdjvu/GSmartPointer.cpp:187
Thread T1 created by T0 here:
#0 0x42cbe9 in pthread_create (/src/aflbuild/installed/bin/ddjvu+0x42cbe9)
#1 0x7f557e854c0a in DJVU::GThread::create(void ()(void), void) /src/djvu/libdjvu/GThreads.cpp:440:13
#2 0x7f557e62b6a4 in DJVU::DjVuDocument::start_init(DJVU::GURL const&, DJVU::GP<djvu::djvuport>, DJVU::DjVuFileCache</djvu::djvuport>) /src/djvu/libdjvu/DjVuDocument.cpp:208:4
#3 0x7f557e963492 in ddjvu_document_create_by_filename_imp(DJVU::ddjvu_context_s, char const, int, int) /src/djvu/libdjvu/ddjvuapi.cpp:1027:7
#4 0x4f6c47 in main /src/djvu/tools/ddjvu.cpp:1205:16
SUMMARY: AddressSanitizer: heap-use-after-free /src/djvu/libdjvu/GContainer.cpp:665:10 in DJVU::GSetBase::hashnode(unsigned int) const
Shadow bytes around the buggy address:
0x0c1a7fff8210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff8220: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1a7fff8230: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1a7fff8240: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff8250: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
=>0x0c1a7fff8260: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1a7fff8270: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1a7fff8280: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1a7fff8290: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a7fff82a0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1a7fff82b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==788==ABORTING
others
from fuzz project pwd-djvu-ddjvu-00
crash name pwd-djvu-ddjvu-00-00000002-20190928.djvu
Auto-generated by pyspider at 2019-09-28 08:01:09
please send email to teamseri0us360@gmail.com if you have any questions.
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/djvu/bugs/307/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/
Related
Bugs: #307
Hi,
Please replace “@@” with the attachment.
Otherwise, I compiled DjVuLibre with ASAN to find potential bugs. In this issue, treading 1 reads a memory chunck, which is freed in main threading.