search

sammycage / plutosvg

Tiny SVG rendering library in C
MIT License
251 stars 17 forks source link

Heap Use-After-Free in composition_solid_source_over Function #11

Closed kittener closed 2 months ago

kittener commented 3 months ago

Description

The application crashes due to a heap use-after-free error when executing the composition_solid_source_over function. This indicates that the application attempted to read memory that had already been freed, which can lead to undefined behavior and potential security vulnerabilities.

Steps to Reproduce

  1. Compile the application.
  2. Run the application using the following command: example poc.png

poc2.png

  1. Observe that the application crashes indicating a use-after-free error.

Expected Behavior

The application should manage memory correctly without trying to access memory after it has been freed.

Actual Behavior

The application crashes, showing a heap use-after-free error. Here's the output from AddressSanitizer:

=================================================================
==5906==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fe29e7d788c at pc 0x55b48bc4608b bp 0x7ffe23822e20 sp 0x7ffe23822e10
READ of size 4 at 0x7fe29e7d788c thread T0
    #0 0x55b48bc4608a in composition_solid_source_over (/home/kittener/Documents/plutosvg/build/example/example_asan+0x4608a)
    #1 0x55b48bc46f0c in blend_solid (/home/kittener/Documents/plutosvg/build/example/example_asan+0x46f0c)
    #2 0x55b48bc4a0e1 in plutovg_blend_color (/home/kittener/Documents/plutosvg/build/example/example_asan+0x4a0e1)
    #3 0x55b48bc49eba in plutovg_blend (/home/kittener/Documents/plutosvg/build/example/example_asan+0x49eba)
    #4 0x55b48bc39672 in plutovg_fill_preserve (/home/kittener/Documents/plutosvg/build/example/example_asan+0x39672)
    #5 0x55b48bc22282 in render_context_draw (/home/kittener/Documents/plutosvg/build/example/example_asan+0x22282)
    #6 0x55b48bc24198 in render_path (/home/kittener/Documents/plutosvg/build/example/example_asan+0x24198)
    #7 0x55b48bc25938 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x25938)
    #8 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #9 0x55b48bc2379b in render_g (/home/kittener/Documents/plutosvg/build/example/example_asan+0x2379b)
    #10 0x55b48bc258e1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258e1)
    #11 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #12 0x55b48bc2379b in render_g (/home/kittener/Documents/plutosvg/build/example/example_asan+0x2379b)
    #13 0x55b48bc258e1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258e1)
    #14 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #15 0x55b48bc22ae6 in render_symbol (/home/kittener/Documents/plutosvg/build/example/example_asan+0x22ae6)
    #16 0x55b48bc23055 in render_svg (/home/kittener/Documents/plutosvg/build/example/example_asan+0x23055)
    #17 0x55b48bc258b1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258b1)
    #18 0x55b48bc268aa in plutosvg_load_from_memory (/home/kittener/Documents/plutosvg/build/example/example_asan+0x268aa)
    #19 0x55b48bc26a21 in plutosvg_load_from_file (/home/kittener/Documents/plutosvg/build/example/example_asan+0x26a21)
    #20 0x55b48bc1005a in main (/home/kittener/Documents/plutosvg/build/example/example_asan+0x1005a)
    #21 0x7fe2f4097082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #22 0x55b48bc0ff19 in _start (/home/kittener/Documents/plutosvg/build/example/example_asan+0xff19)

0x7fe29e7d788c is located 24297612 bytes inside of 33554432-byte region [0x7fe29d0ab800,0x7fe29f0ab800)
freed by thread T0 here:
    #0 0x7fe2f4493d40 in realloc (/lib/x86_64-linux-gnu/libasan.so.4+0xdfd40)
    #1 0x55b48bc4d20f in generation_callback (/home/kittener/Documents/plutosvg/build/example/example_asan+0x4d20f)
    #2 0x55b48bc77250 in gray_hline (/home/kittener/Documents/plutosvg/build/example/example_asan+0x77250)
    #3 0x55b48bc77584 in gray_sweep (/home/kittener/Documents/plutosvg/build/example/example_asan+0x77584)
    #4 0x55b48bc79e3a in gray_convert_glyph (/home/kittener/Documents/plutosvg/build/example/example_asan+0x79e3a)
    #5 0x55b48bc7ab20 in gray_raster_render (/home/kittener/Documents/plutosvg/build/example/example_asan+0x7ab20)
    #6 0x55b48bc4e1f7 in plutovg_rle_rasterize (/home/kittener/Documents/plutosvg/build/example/example_asan+0x4e1f7)
    #7 0x55b48bc395d6 in plutovg_fill_preserve (/home/kittener/Documents/plutosvg/build/example/example_asan+0x395d6)
    #8 0x55b48bc22282 in render_context_draw (/home/kittener/Documents/plutosvg/build/example/example_asan+0x22282)
    #9 0x55b48bc24198 in render_path (/home/kittener/Documents/plutosvg/build/example/example_asan+0x24198)
    #10 0x55b48bc25938 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x25938)
    #11 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #12 0x55b48bc2379b in render_g (/home/kittener/Documents/plutosvg/build/example/example_asan+0x2379b)
    #13 0x55b48bc258e1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258e1)
    #14 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #15 0x55b48bc2379b in render_g (/home/kittener/Documents/plutosvg/build/example/example_asan+0x2379b)
    #16 0x55b48bc258e1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258e1)
    #17 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #18 0x55b48bc22ae6 in render_symbol (/home/kittener/Documents/plutosvg/build/example/example_asan+0x22ae6)
    #19 0x55b48bc23055 in render_svg (/home/kittener/Documents/plutosvg/build/example/example_asan+0x23055)
    #20 0x55b48bc258b1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258b1)
    #21 0x55b48bc268aa in plutosvg_load_from_memory (/home/kittener/Documents/plutosvg/build/example/example_asan+0x268aa)
    #22 0x55b48bc26a21 in plutosvg_load_from_file (/home/kittener/Documents/plutosvg/build/example/example_asan+0x26a21)
    #23 0x55b48bc1005a in main (/home/kittener/Documents/plutosvg/build/example/example_asan+0x1005a)
    #24 0x7fe2f4097082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

previously allocated by thread T0 here:
    #0 0x7fe2f4493d40 in realloc (/lib/x86_64-linux-gnu/libasan.so.4+0xdfd40)
    #1 0x55b48bc4d20f in generation_callback (/home/kittener/Documents/plutosvg/build/example/example_asan+0x4d20f)
    #2 0x55b48bc77250 in gray_hline (/home/kittener/Documents/plutosvg/build/example/example_asan+0x77250)
    #3 0x55b48bc77584 in gray_sweep (/home/kittener/Documents/plutosvg/build/example/example_asan+0x77584)
    #4 0x55b48bc79e3a in gray_convert_glyph (/home/kittener/Documents/plutosvg/build/example/example_asan+0x79e3a)
    #5 0x55b48bc7ab20 in gray_raster_render (/home/kittener/Documents/plutosvg/build/example/example_asan+0x7ab20)
    #6 0x55b48bc4e1f7 in plutovg_rle_rasterize (/home/kittener/Documents/plutosvg/build/example/example_asan+0x4e1f7)
    #7 0x55b48bc395d6 in plutovg_fill_preserve (/home/kittener/Documents/plutosvg/build/example/example_asan+0x395d6)
    #8 0x55b48bc22282 in render_context_draw (/home/kittener/Documents/plutosvg/build/example/example_asan+0x22282)
    #9 0x55b48bc24198 in render_path (/home/kittener/Documents/plutosvg/build/example/example_asan+0x24198)
    #10 0x55b48bc25938 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x25938)
    #11 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #12 0x55b48bc2379b in render_g (/home/kittener/Documents/plutosvg/build/example/example_asan+0x2379b)
    #13 0x55b48bc258e1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258e1)
    #14 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #15 0x55b48bc2379b in render_g (/home/kittener/Documents/plutosvg/build/example/example_asan+0x2379b)
    #16 0x55b48bc258e1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258e1)
    #17 0x55b48bc259d1 in render_children (/home/kittener/Documents/plutosvg/build/example/example_asan+0x259d1)
    #18 0x55b48bc22ae6 in render_symbol (/home/kittener/Documents/plutosvg/build/example/example_asan+0x22ae6)
    #19 0x55b48bc23055 in render_svg (/home/kittener/Documents/plutosvg/build/example/example_asan+0x23055)
    #20 0x55b48bc258b1 in render_element (/home/kittener/Documents/plutosvg/build/example/example_asan+0x258b1)
    #21 0x55b48bc268aa in plutosvg_load_from_memory (/home/kittener/Documents/plutosvg/build/example/example_asan+0x268aa)
    #22 0x55b48bc26a21 in plutosvg_load_from_file (/home/kittener/Documents/plutosvg/build/example/example_asan+0x26a21)
    #23 0x55b48bc1005a in main (/home/kittener/Documents/plutosvg/build/example/example_asan+0x1005a)
    #24 0x7fe2f4097082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/kittener/Documents/plutosvg/build/example/example_asan+0x4608a) in composition_solid_source_over
Shadow bytes around the buggy address:
  0x0ffcd3cf2ec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2ee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ffcd3cf2f10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ffcd3cf2f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5906==ABORTING

by, kaiyu Xie

sammycage commented 3 months ago

Can you please send me the test files?

kittener commented 3 months ago

poc2.zip Can you download it via the link above?

sammycage commented 2 months ago

@kittener Resolved in the latest commit. Thank you for bringing this issue to our attention.

kittener commented 1 week ago

Can you help me apply for a CVE number, or I can apply myself