Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ASAN: https://pan.baidu.com/s/1PkaKUDN5p08FEU0ANflUQg POC: https://pan.baidu.com/s/1d6txGGMKINmIWWLSVjwORw EXP: https://pan.baidu.com/s/1S4uNtdBtGmTK5p47BGI8Mg password:i5n2
Description: A sscanf operation without the check of string length, which may lead to stack over flow. When this lib is used to parse svg by a browser, RCE is possible.
void svgStringToLength( const char *szValue, svgLength *ptLength ) { char szUnit[ 8 ] = ""; if( szValue==NULL || ptLength==NULL ) return; memset( ptLength, 0, sizeof( *ptLength ) ); sscanf( szValue, "%f%s", &ptLength->fValue, szUnit ); SVG_DEBUG_PRINTF( "Value %#.4f\n", ptLength->fValue ); ptLength->tUnit = SVG_LENGTH_UNIT_NONE; if( szUnit[ 0 ]=='\0' ) return; if( strcmp( szUnit, "em" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_EM; else if( strcmp( szUnit, "ex" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_EX; else if( strcmp( szUnit, "in" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_IN; else if( strcmp( szUnit, "cm" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_CM; else if( strcmp( szUnit, "mm" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_MM; else if( strcmp( szUnit, "pt" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_PT; else if( strcmp( szUnit, "pc" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_PC; else if( strcmp( szUnit, "%" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_PERCENT; else if( strcmp( szUnit, "px" )==0 ) ptLength->tUnit = SVG_LENGTH_UNIT_vfprintf+1524PX; }
sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );
This call of function doesn't check the string in szValue, which can lead to stack overflow!
debug image: https://pan.baidu.com/s/10dvIlFtXydbwb0egxeXXGg
The text was updated successfully, but these errors were encountered:
affect: sources/svg_types.c
Sorry, something went wrong.
No branches or pull requests
ASAN: https://pan.baidu.com/s/1PkaKUDN5p08FEU0ANflUQg
POC: https://pan.baidu.com/s/1d6txGGMKINmIWWLSVjwORw
EXP: https://pan.baidu.com/s/1S4uNtdBtGmTK5p47BGI8Mg password:i5n2
Description:
A sscanf operation without the check of string length, which may lead to stack over flow. When this lib is used to parse svg by a browser, RCE is possible.
sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );This call of function doesn't check the string in szValue, which can lead to stack overflow!
debug image: https://pan.baidu.com/s/10dvIlFtXydbwb0egxeXXGg
The text was updated successfully, but these errors were encountered: