nanosvg icon indicating copy to clipboard operation
nanosvg copied to clipboard
verified publisher icon memononen

Undefined Behavior in nsvg__pathArcTo()

Open invd opened this issue 5 years ago • 1 comments

During fuzzing, UndefinedBehaviorSanitizer reports an issue at https://github.com/memononen/nanosvg/blob/07a5e2a33c999c759490c2ca452e18ec24c0bfb3/src/nanosvg.h#L2166

nanosvg.h:2175:10: runtime error: nan is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior nanosvg.h:2175:10 in

I do not expect a direct security impact.

Example input: ub_1.svg.zip.

State before the UB:

Thread 1 "nanosvg_fuzzer" hit Breakpoint 1, nsvg__pathArcTo (p=0xe83620, cpx=0x7fffffffbf54, cpy=0x7fffffffbf50, args=0x7fffffffbf60, 
    rel=0) at ./nanosvg.h:2175
2175		ndivs = (int)(fabsf(da) / (NSVG_PI*0.5f) + 1.0f);
(gdb) info local
rx = 8
ry = inf
rotx = 0
x1 = 0
y1 = 0
x2 = 0
y2 = 0.200000003
cx = -nan(0x400000)
cy = -nan(0x400000)
dx = 0
dy = -0.200000003
d = 0
x1p = 0
y1p = -0.100000001
cxp = 0
cyp = -nan(0x400000)
s = -0
sa = -nan(0x400000)
sb = -nan(0x400000)
ux = 0
uy = -nan(0x400000)
vx = -0
vy = -nan(0x400000)
a1 = -nan(0x400000)
da = -nan(0x400000)
x = 4.59163468e-41
y = -nan(0x7fbed0)
tanx = 6.44597294e-44
tany = 0
a = 4.59163468e-41
px = 0
py = 0
ptanx = 0
ptany = 0
t = {1, 0, -0, 1, -nan(0x400000), -nan(0x400000)}
sinrx = 0
cosrx = 1
fa = 1
fs = 1
i = 46
ndivs = 33542579
hda = 4.59163468e-41
kappa = -nan(0x7fbed0)

Note: my local source lines are not identical with nanosvg.h upstream.

invd avatar Sep 24 '20 20:09 invd

@memononen : this undefined behavior issue is still present in the newest 9da543e8329fdd81b64eb48742d8ccb09377aed1 commit.

https://github.com/memononen/nanosvg/blob/9da543e8329fdd81b64eb48742d8ccb09377aed1/src/nanosvg.h#L2226

While retesting this issue, my fuzzer has found a separate Undefined Behavior issue in nsvg__parseColorRGB():

nanosvg.h:1273:14: runtime error: 2.83333e+11 is outside the range of representable values of type 'unsigned int'

https://github.com/memononen/nanosvg/blob/9da543e8329fdd81b64eb48742d8ccb09377aed1/src/nanosvg.h#L1273

Similar edge cases are possible for rgbi[2] = roundf(rgbf[2] * 2.55f); at nanosvg.h:1275 as well.

Let me know if you have an interest in fixing those and need more information.

invd avatar Mar 03 '23 12:03 invd