-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
endless loop (DOS) when parsing crafted input via nsvgParseFromFile() #178
Comments
If you want to find some more to not disclose there's a fuzzer in one of the many branches. Should be totally obvious, but I'll point out that nobody security conscious should be using this library to load svgs from unknown sources. |
Hello @tesch1, I'm not sure that I fully understood what you were trying to say. As far as I can see, memononen/nanosvg has no other branches, active or otherwise. Looking deeper into the topic of actual nanosvg forks, I can find your comment at 25241c5#commitcomment-35986042 and your nanosvg fork, which does have fuzzing-related changes. Could you please clarify what you're suggesting for the disclosure of the DOS mentioned above? In particular, do you think that you've already found and publicly fixed the relevant issue in your fork, which would resolve this topic? Correctly disclosing issues in unmaintained projects with unreachable developers is difficult, and it doesn't help that there is no visible followup project with either the blessing of the previous maintainer or many visible users (measured by Github stars, for example). Given the number of stars and forks for this original version, it is not unreasonable to assume that this code is still used somewhere to parse untrusted input. Through this Github issue, I was trying to balance the relevant pros and cons of this situation. |
The Tk project (Tcl/Tk (https://core.tcl-lang.org/tk), TkInter, TkRuby, TkPerl) are happily using svgnano and it is very helpful and very quick. Some bugs are only fixed in Tk and not necessarily reported back to the main project. We would be glad to get more information on what is actually triggering the issue. Thank you, |
Interesting, so the tksvg extension and the main tcl code also carry a copy of nanosvg.h after TIP #507 in 2018, or at least some branches do. |
Here is the 21 bytes are sufficient to trigger the problem:
|
Quick fix proposal in Tk here |
Here is the patch authored by fvogel:
|
Ticket #178: endless loop (DOS) when parsing crafted input via nsvgPa…
The merged patch appears to resolve the loop issue 👍 @memononen: additional fuzzing brings up more issues. Please indicate how you want those to be reported. |
Tierve Mikko, Thank you, |
- make sure nsvg__addPath() hands only valid number of pointts (1+N*3) - require moveTo path command before handling other commands - require (sign+)digit for a valid path command coordinate - allow to add bezier segment only after there’s at leat one point (now also consistent with nsvg__lineTo)
Thanks Harald. I happened to have few hours to spare, so I fixed the to latest findings from @invd |
I think this issue can be closed. |
Mid-June, I discovered and privately reported an endless loop issue that happens in the following usage scenario with a small crafted input file:
The expected security impact is a denial of service.
So far, I have not received a reply from @memononen. Given that nanosvg
is not actively maintained
(see README.md), this is somewhat expected, but I want to report the issue anyway because there might still be active users of this library that are affected by this.@memononen : can you give some quick feedback on whether you want the details to be disclosed publicly here in the bugtracker or prefer them to stay nonpublic until the 15.9.2020 (90 days after initial disclosure)?
The text was updated successfully, but these errors were encountered: