search

eyelash / raster

a high-quality vector graphics rasterizer (work in progress)
9 stars 2 forks source link

Stack-overflow and FPE on unknown address have occurred in function raster. #1

Open yangfar opened 2 years ago

yangfar commented 2 years ago

Command

./raster input output

Crash out put

Crash 1

AddressSanitizer:DEADLYSIGNAL

================================================================= ==543374==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd34f18f00 (pc 0x0000004f7a3f bp 0x7ffd34f19130 sp 0x7ffd34f18f00 T0)

0 0x4f7a3f in Path::curve_to(Point const&, Point const&, Point const&) /home/hjsz/fuzz_software/raster-main/document.hpp:140

#1 0x4f8518 in Path::curve_to(Point const&, Point const&, Point const&) /home/hjsz/fuzz_software/raster-main/document.hpp:153:4
#2 0x4f8518 in Path::curve_to(Point const&, Point const&, Point const&) /home/hjsz/fuzz_software/raster-main/document.hpp:153:4

SUMMARY: AddressSanitizer: stack-overflow /home/hjsz/fuzz_software/raster-main/document.hpp:140 in Path::curve_to(Point const&, Point const&, Point const&) ==543374==ABORTING

Crash 2

AddressSanitizer:DEADLYSIGNAL

================================================================= ==543549==ERROR: AddressSanitizer: FPE on unknown address 0x000000517dda (pc 0x000000517dda bp 0x7ffcde13ecb0 sp 0x7ffcde13e6e0 T0)

0 0x517dda in Pixmap::get_height() const /home/hjsz/fuzz_software/raster-main/rasterizer.hpp:107:24

#1 0x517dda in (anonymous namespace)::rasterize_strip((anonymous namespace)::Strip const&, Pixmap&) /home/hjsz/fuzz_software/raster-main/rasterizer.cpp:143:45
#2 0x517dda in rasterize(std::vector<Shape, std::allocator<Shape> > const&, char const*, unsigned long, unsigned long) /home/hjsz/fuzz_software/raster-main/rasterizer.cpp:217:4
#3 0x4c8aa7 in main /home/hjsz/fuzz_software/raster-main/main.cpp:26:3
#4 0x7fd8d98f2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41d66d in _start (/home/hjsz/fuzz_software/raster-main/build/raster+0x41d66d)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /home/hjsz/fuzz_software/raster-main/rasterizer.hpp:107:24 in Pixmap::get_height() const ==543549==ABORTING

POC

POC.zip

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale

eyelash commented 2 years ago

Thank you for this bug report. I'm aware that the parser does not protect against stack overflows (this is also true for all my other projects that contain parsers). This can be exploited with specially crafted inputs. I'll have to look into the second crash.

Is there any chance you could provide the input files used to trigger these crashes?

In general, this project is very much a work in progress and the focus is still on functionality instead of security. You should only run this software on trusted inputs.

yangfar commented 2 years ago

Thanks for your time, the input files are your examples in your repository.

eyelash commented 2 years ago

I am unable to reproduce these crashes. Could you please provide me with some additional information? What operating system and what compiler are you using? How are you compiling the project? Which additional flags are you using? I tried the following but didn't get any errors:

g++ -o raster -g -fsanitize=address main.cpp parser.cpp rasterizer.cpp png.cpp
./raster examples/00.svg output.png
./raster examples/01.svg output.png
./raster examples/02.svg output.png

What are the files inside the POC.zip?

yangfar commented 2 years ago

Command line used to find this crash:

./AFL/afl-fuzz -i ./seed/seed1/ -o ./out/out1/ -d -m none ./fuzz_software/raster-main/build/raster @@ test.png

The seed is example you give. POC.zip is crash that I got using fuzz tool(AFL).

eyelash commented 2 years ago

Here are two isolated input files to reproduce these crashes:

<?xml version="1.0" encoding="UTF-8"?>
<svg width="300" height="300" xmlns="http://www.w3.org/2000/svg">
<path fill="#0000FF" d="C 100 50 150 150 200 10000000000000000000000000000000000000 L 250 200 Z"/>
</svg>
<?xml version="1.0" encoding="UTF-8"?>
<svg width="0" height="0" xmlns="http://www.w3.org/2000/svg">
</svg>

The first one is a stack overflow in the recursive call here due to a curve that is too big so the error takes too long to go below the tolerance.

The second one is a divide-by-zero bug here due to the width being zero.

Thank you for reporting these issues. I'm not sure I will fix these issues, though since as I said this is an experimental work in progress that is only meant to be used on safe input files.

yangfar commented 2 years ago

Thanks for your time!