New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CWE-131 (Incorrect Calculation of Buffer Size) in plutosvg_load_from_memory #7
Comments
I'll make sure to dive into this matter as soon as my schedule permits. Thank you for bringing it to my attention! |
A simple way to fix the bug is adding a size check like this
|
By the way, the allocation in function filt = (unsigned char *) STBIW_MALLOC((x*n+1) * y); if (!filt) return 0;
line_buffer = (signed char *) STBIW_MALLOC(x * n); if (!line_buffer) { STBIW_FREE(filt); return 0; } They can be fixed by the same way. Steps to reproducecode: #include <plutosvg.h>
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
plutovg_surface_t* surface = plutosvg_load_from_file(argv[1], NULL, 0, 0, 96.0);
if(surface == NULL)
{
printf("Load failed\n");
return -1;
}
plutovg_surface_write_to_png(surface, "test.png");
plutovg_surface_destroy(surface);
return 0;
} ASAN report
The poc does not cause segment fault, but can trigger heap overflow. |
Summary
An integer overflow in the allocated size of
calloc
causes a segment fault.It might lead to heap overflow and arbitrary code execution.
Steps to reproduce
code:
run
ASAN report
Analysis
plutosvg_load_from_memory
does not check the size ofwidth
andheight
and callsplutovg_surface_create(width, height);
.In plutovg_surface_create:
An integer overflow might happen when calculating
width * height * 4
. It might be better to check the sizes ofwidth
andheight
before the allocation.PoC
poc.zip
The text was updated successfully, but these errors were encountered: