kittener commented 2 months ago

Hello, I am testing my new fuzz tester recently. I found a crash when testing example in this project.

Description

When running the application with AddressSanitizer, it crashes during a call to plutovg_surface_create due to a request to allocate an abnormally large amount of memory (0xffffffff83863c14 bytes). This behavior suggests there might be an integer overflow or an invalid memory size calculation.

Steps to Reproduce

Compile the application.
Run the command example poc.png

Expected Behavior

The application should handle memory allocation requests gracefully without attempting to allocate unusually large memory blocks.

Actual Behavior

The application requests an impractically large memory allocation and crashes when AddressSanitizer is enabled.

Environment

OS: Ubuntu 20.04
Build options: ./configure make

Possible Solution

Investigate the logic in plutovg_surface_create that calculates the amount of memory needed.
Ensure that there is no integer overflow or other logic errors that could lead to incorrect memory requests.

Additional Context

==5874==WARNING: AddressSanitizer failed to allocate 0xffffffff83863c14 bytes ==5874==AddressSanitizer's allocator is terminating the process instead of returning 0 ==5874==If you don't like this behavior set allocator_may_return_null=1 ==5874==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)

0 0x7fb364b39a02 (/lib/x86_64-linux-gnu/libasan.so.4+0xeaa02)

#1 0x7fb364b58385 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/lib/x86_64-linux-gnu/libasan.so.4+0x109385)
#2 0x7fb364b3f142  (/lib/x86_64-linux-gnu/libasan.so.4+0xf0142)
#3 0x7fb364a77c56  (/lib/x86_64-linux-gnu/libasan.so.4+0x28c56)
#4 0x7fb364b2e91a in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.4+0xdf91a)
#5 0x562ffe434ba1 in plutovg_surface_create (/home/kittener/Documents/plutosvg/build/example/example_asan+0x34ba1)
#6 0x562ffe4266aa in plutosvg_load_from_memory (/home/kittener/Documents/plutosvg/build/example/example_asan+0x266aa)
#7 0x562ffe426a21 in plutosvg_load_from_file (/home/kittener/Documents/plutosvg/build/example/example_asan+0x26a21)
#8 0x562ffe41005a in main (/home/kittener/Documents/plutosvg/build/example/example_asan+0x1005a)
#9 0x7fb364732082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#10 0x562ffe40ff19 in _start (/home/kittener/Documents/plutosvg/build/example/example_asan+0xff19)

by kaiyu Xie

sammycage commented 2 months ago

Hi,

Thank you for reporting this issue and for the detailed description.

This issue has been fixed in the latest version of plutovg. I will update the submodule to the new version as soon as I have the time to do so.

Best regards

kittener commented 2 months ago

Thank you for your reply.

sammycage commented 1 month ago

@kittener Resolved in the latest commit. Thank you for bringing this issue to our attention.

sammycage / plutosvg

Memory allocation failed because no check was done on allocated memory #9