Undefined behavior at plutovg using lunasvg's svg2png example

m-carrasco commented 1 year ago

Hi,

Thanks a lot for sharing this project. I just wanted to report a case of undefined behavior. Unfortunately, I am not sure yet what's the best way to fix this problem.

How to reproduce it?

apt-get install -y clang-12
git clone lunasvg
mkdir build && cd build
CXX=clang++-12 CC=clang-12 cmake -DLUNASVG_BUILD_EXAMPLES=ON -DCMAKE_CXX_FLAGS="-g -O0 -fsanitize=undefined,address -fno-sanitize-recover=all" -DCMAKE_C_FLAGS="-g -O0 -fsanitize=undefined,address -fno-sanitize-recover=all" ../lunasvg
make -j $(nproc)
export UBSAN_OPTIONS=print_stacktrace=1
./example/svg2png a-baseline-shift-005.svg

Error

/lunasvg/3rdparty/plutovg/plutovg-rle.c:38:9: runtime error: store to misaligned address 0x60b000000156 for type 'int', which requires 4 byte alignment
0x60b000000156: note: pointer points here
 01 be be be be be  be be be be be be 01 be  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00
             ^ 
    #0 0x7b542a in ft_outline_move_to /lunasvg/3rdparty/plutovg/plutovg-rle.c:38:38
    #1 0x7ab0c4 in ft_outline_convert /lunasvg/3rdparty/plutovg/plutovg-rle.c:103:13
    #2 0x7a7f4f in plutovg_rle_rasterize /lunasvg/3rdparty/plutovg/plutovg-rle.c:246:9
    #3 0x765a75 in plutovg_fill_preserve /lunasvg/3rdparty/plutovg/plutovg.c:461:5
    #4 0x765654 in plutovg_fill /lunasvg/3rdparty/plutovg/plutovg.c:423:5
    #5 0x6d2bd7 in lunasvg::Canvas::fill(lunasvg::Path const&, lunasvg::Transform const&, lunasvg::WindRule, lunasvg::BlendMode, double) /lunasvg/source/canvas.cpp:100:5
    #6 0x69a1f2 in lunasvg::FillData::fill(lunasvg::RenderState&, lunasvg::Path const&) const /lunasvg/source/layoutcontext.cpp:331:19
    #7 0x69cb38 in lunasvg::LayoutShape::render(lunasvg::RenderState&) const /lunasvg/source/layoutcontext.cpp:408:18
    #8 0x68e903 in lunasvg::LayoutContainer::renderChildren(lunasvg::RenderState&) const /lunasvg/source/layoutcontext.cpp:88:16
    #9 0x6920ce in lunasvg::LayoutSymbol::render(lunasvg::RenderState&) const /lunasvg/source/layoutcontext.cpp:159:5
    #10 0x5b84a6 in lunasvg::Document::render(lunasvg::Bitmap, lunasvg::Matrix const&) const /lunasvg/source/lunasvg.cpp:343:11
    #11 0x5b9bc5 in lunasvg::Document::renderToBitmap(unsigned int, unsigned int, unsigned int) const /lunasvg/source/lunasvg.cpp:368:5
    #12 0x5ab8ce in main /lunasvg/example/svg2png.cpp:54:29
    #13 0x7fcbd75f3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #14 0x4e5cad in _start (/lunasvg-build/example/svg2png+0x4e5cad)

Possibly source of the error

Possibly the issue comes from this line https://github.com/sammycage/lunasvg/blob/master/3rdparty/plutovg/plutovg-rle.c#L24. I suspect that this base address is already misaligned.

I think a possible way to avoid this UB is to replace int-style accesses to this buffer with byte-style ones (memcpy, memset, etc). I tried this a bit, but I had an invalid memory access. Perhaps my approach is just hiding a bug in the code.

To be fair, I am not sure if this is a bug in plutosv per se or if it is caused by an incorrect use by lunasvg.

If it helps, I found this post that explains this sort of UB better.

Best regards, Manuel

sammycage commented 1 year ago

Fixed in commit 3881f345c3bacfcc85e05666ded397e9603686ed

Thank you for reporting this bug <3 <3 <3

m-carrasco commented 1 year ago

@sammycage thank you ;)

sammycage / lunasvg

Undefined behavior at plutovg using lunasvg's svg2png example #119