search

Samsung / rlottie

A platform independent standalone library that plays Lottie Animation.
Other
1.15k stars 223 forks source link

signed integer overflow #561

Open ghost opened 3 months ago

ghost commented 3 months ago

Hello,

There is a signed integer overflow within the library, within the following tags can trigger this resulting in denial of service within rlottie. 

./harness` small.json 
frame count:    1
starting...
/home/harry/rlottie/src/vector/freetype/v_ft_raster.cpp:1385:38: runtime error: signed integer overflow: -2147483648 - 2147483647 cannot be represented in type 'int'

This can be found here when loading in the Json file:

{
    "v": "0",
    "": [],
    "assets": [
      {
        "": 0
      },
      {
        "": 0,
        "id": "fr000",
        "h": 2
      },
      {
        "": 0
      }
    ],
    "layers": [
      {
        "": 0
      },
      {
        "": 0
      },
      {
        "": 0,
        "ks": {
          "": {
            "": 0
          }
        },
        "ty": 2,
        "refId": "fr000" 
      }
    ]
  }

The overflow occurs when the parameters of refId are given 000 resulting in a overflow. This has to be within the layers function for the bug to be triggered: https://github.com/Samsung/rlottie/blob/master/src/vector/freetype/v_ft_raster.cpp#L1385C15-L1385C73

    gray_convert_glyph(RAS_VAR);
    params->bbox_cb(ras.bound_left, ras.bound_top,
                    ras.bound_right - ras.bound_left,
                    ras.bound_bottom - ras.bound_top + 1, params->user);

To recreate issue: compile code with: harness.cpp.tar.gz


g++   main.cpp  fsanitize=address,undefined fsanitize=address fsanitize=address integer overflow

./application test.json