plutosvg
plutosvg copied to clipboard
Published
20 hours ago •
sammycage
sammycage
Heap Buffer Overflow in plutovg_surface_write_to_png Function
Description
The application crashes due to a heap buffer overflow error when executing the plutovg_surface_write_to_png function. This indicates that the application attempted to write/read past the end of an allocated memory block.
Steps to Reproduce
- Compile the application.
- Run the application using the following command:
example poc.png
- Observe that the application crashes indicating a buffer overflow error.
Expected Behavior
The application should manage memory bounds correctly and not access memory beyond allocated blocks.
Actual Behavior
The application crashes, showing a heap buffer overflow error. Here's the output from AddressSanitizer:
=================================================================
==5909==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f612e1ff704 at pc 0x55f9228352c5 bp 0x7ffc89c47e50 sp 0x7ffc89c47e40
READ of size 4 at 0x7f612e1ff704 thread T0
#0 0x55f9228352c4 in plutovg_surface_write_to_png (/home/kittener/Documents/plutosvg/build/example/example_asan+0x352c4)
#1 0x55f92281008b in main (/home/kittener/Documents/plutosvg/build/example/example_asan+0x1008b)
#2 0x7f6130e00082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#3 0x55f92280ff19 in _start (/home/kittener/Documents/plutosvg/build/example/example_asan+0xff19)
0x7f612e1ff704 is located 0 bytes to the right of 1192173316-byte region [0x7f60e710d800,0x7f612e1ff704)
allocated by thread T0 here:
#0 0x7f61311fc950 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.4+0xdf950)
#1 0x55f922834ba1 in plutovg_surface_create (/home/kittener/Documents/plutosvg/build/example/example_asan+0x34ba1)
#2 0x55f9228266aa in plutosvg_load_from_memory (/home/kittener/Documents/plutosvg/build/example/example_asan+0x266aa)
#3 0x55f922826a21 in plutosvg_load_from_file (/home/kittener/Documents/plutosvg/build/example/example_asan+0x26a21)
#4 0x55f92281005a in main (/home/kittener/Documents/plutosvg/build/example/example_asan+0x1005a)
#5 0x7f6130e00082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kittener/Documents/plutosvg/build/example/example_asan+0x352c4) in plutovg_surface_write_to_png
Shadow bytes around the buggy address:
0x0feca5c37e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feca5c37ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feca5c37eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feca5c37ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feca5c37ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feca5c37ee0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feca5c37ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feca5c37f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feca5c37f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feca5c37f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feca5c37f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5909==ABORTING
by, kaiyu Xie
