Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug 3: another stack buffer overflow bug which may lead to RCE #4

Open
ghost opened this issue Sep 12, 2018 · 1 comment
Open

bug 3: another stack buffer overflow bug which may lead to RCE #4

ghost opened this issue Sep 12, 2018 · 1 comment

Comments

@ghost
Copy link

ghost commented Sep 12, 2018

ASAN: https://pan.baidu.com/s/1PkaKUDN5p08FEU0ANflUQg
POC: https://pan.baidu.com/s/1d6txGGMKINmIWWLSVjwORw
EXP: https://pan.baidu.com/s/1S4uNtdBtGmTK5p47BGI8Mg password:i5n2

Description:
A sscanf operation without the check of string length, which may lead to stack over flow. When this lib is used to parse svg by a browser, RCE is possible.

void svgStringToLength( const char *szValue, svgLength *ptLength )
{
 char szUnit[ 8 ] = "";

 if( szValue==NULL || ptLength==NULL )
  return;

 memset( ptLength, 0, sizeof( *ptLength ) );
 sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );

 SVG_DEBUG_PRINTF( "Value %#.4f\n", ptLength->fValue );

 ptLength->tUnit = SVG_LENGTH_UNIT_NONE;
 if( szUnit[ 0 ]=='\0' )
  return;

 if( strcmp( szUnit, "em" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_EM;
 else if( strcmp( szUnit, "ex" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_EX;
 else if( strcmp( szUnit, "in" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_IN;
 else if( strcmp( szUnit, "cm" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_CM;
 else if( strcmp( szUnit, "mm" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_MM;
 else if( strcmp( szUnit, "pt" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PT;
 else if( strcmp( szUnit, "pc" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PC;
 else if( strcmp( szUnit, "%" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PERCENT;
 else if( strcmp( szUnit, "px" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_vfprintf+1524PX;
}

sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );

This call of function doesn't check the string in szValue, which can lead to stack overflow!

debug image: https://pan.baidu.com/s/10dvIlFtXydbwb0egxeXXGg

@ghost
Copy link
Author

ghost commented Sep 12, 2018

affect: sources/svg_types.c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants