Description:
If szEnd can't hit the judge follow in a right range, the coptsize of strncpy may be too large, which will directly cause stack overflow. If the lib is used by a browser, RCE is possible!
const char* svgGetNextPathField( const char *szData, char *szField )
{
const char *szStart = NULL, *szEnd = NULL;
if( szData==NULL || szField==NULL )
return NULL;
szField[ 0 ] = '\0';
// FIXME: Make sure that this "M100,100L200,500" will be parsed...
// Search for the start of the field
szStart = szData;
while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
szStart ++;
}
if( *szStart=='\0' )
return NULL;
// Search for the end
szEnd = szStart + 1;
while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
szEnd ++;
}
strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
szField[ szEnd - szStart ] = 0;
return szStart;
}
POC:
https://pan.baidu.com/s/1jVZghI-9fabwDuOAs6xAcg
ASAN:
https://pan.baidu.com/s/1WrFXobw05-t1EpJpceZ-gA
Description:
If szEnd can't hit the judge follow in a right range, the coptsize of strncpy may be too large, which will directly cause stack overflow. If the lib is used by a browser, RCE is possible!
pwndbg> p ptPathCmd
$31 = (svgPathCommand *) 0x313131313131312d
pwndbg> p ptLastPathCmd
$33 = (svgPathCommand *) 0x333233322d333132
saved $rbp and ret addr has been overwriteed, when bypassing the poc crash erro, $ip will be controlled.
debug pic: https://pan.baidu.com/s/1AKFgwFBdQRZZjEdsXb3fWg
The text was updated successfully, but these errors were encountered: