Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug2: a stack buffer overflow bug of parse WHICH may lead to RCE #3

Open
ghost opened this issue Sep 12, 2018 · 2 comments

Comments

@ghost
Copy link

commented Sep 12, 2018

POC:
https://pan.baidu.com/s/1jVZghI-9fabwDuOAs6xAcg
ASAN:
https://pan.baidu.com/s/1WrFXobw05-t1EpJpceZ-gA

Description:
If szEnd can't hit the judge follow in a right range, the coptsize of strncpy may be too large, which will directly cause stack overflow. If the lib is used by a browser, RCE is possible!

const char* svgGetNextPathField( const char *szData, char *szField )
{
 const char *szStart = NULL, *szEnd = NULL;

 if( szData==NULL || szField==NULL )
  return NULL;

 szField[ 0 ] = '\0';

 // FIXME: Make sure that this "M100,100L200,500" will be parsed...

 // Search for the start of the field
 szStart = szData;
 while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
  szStart ++;
 }

 if( *szStart=='\0' )
  return NULL;

 // Search for the end
 szEnd = szStart + 1;
 while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
  szEnd ++;
 }

 strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
 szField[ szEnd - szStart ] = 0;

 return szStart;
}
while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
  szEnd ++;
 }
char *szValue, szField[ 16 ];
szFieldStart = svgGetNextPathField( szFieldStart, szField );

pwndbg> p ptPathCmd
$31 = (svgPathCommand *) 0x313131313131312d

pwndbg> p ptLastPathCmd 
$33 = (svgPathCommand *) 0x333233322d333132

saved $rbp and ret addr has been overwriteed, when bypassing the poc crash erro, $ip will be controlled.

debug pic: https://pan.baidu.com/s/1AKFgwFBdQRZZjEdsXb3fWg

@ghost

This comment has been minimized.

Copy link
Author

commented Sep 12, 2018

affect sources/svg_string.c

@abergmann

This comment has been minimized.

Copy link

commented Sep 24, 2018

CVE-2018-17334 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.