Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New vulnerability #101

Closed
001SM opened this issue Dec 6, 2021 · 6 comments
Closed

New vulnerability #101

001SM opened this issue Dec 6, 2021 · 6 comments

Comments

@001SM
Copy link

001SM commented Dec 6, 2021

id_000015,sig_11,src_001176,time_147681735,op_arith8,pos_10,val_+3.zip
在renderDocument函数中的XMLDocument::getRoot函数对XMLDocument对象处理不当,在第二个if处提前返回一个空指针,造成renderDocument函数后面有空指针引用。
The XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly, returning a null pointer in advance at the second if, resulting in a null pointer reference behind the renderDocument function.

AddressSanitizer:DEADLYSIGNAL

==1486083==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006d742e bp 0x7fffc6d83dd0 sp 0x7fffc6d83880 T0)
==1486083==The signal is caused by a READ memory access.
==1486083==Hint: address points to the zero page.
#0 0x6d742e in rapidxml_ns::xml_base::local_name() const /home/zero/Desktop/svgpp-master/src/demo/render/../../../third_party/rapidxml_ns/rapidxml_ns.hpp:882:20
#1 0x6d742e in svgpp::policy::xml::element_iterator<rapidxml_ns::xml_node const*>::get_local_name(rapidxml_ns::xml_node const*) /home/zero/Desktop/svgpp-master/src/demo/render/../../../include/svgpp/policy/xml/rapidxml_ns.hpp:127:43
#2 0x6d742e in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp:🏭:length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp:🏭:color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method >, svgpp::error_policy<svgpp::policy::error::default_policy >, svgpp::markers_policysvgpp::policy::markers::calculate_always, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policysvgpp::policy::viewport::as_transform >::load_expected_element<rapidxml_ns::xml_node const*, Canvas, svgpp::tag::element::svg>(rapidxml_ns::xml_node const* const&, Canvas&, svgpp::tag::element::svg) /home/zero/Desktop/svgpp-master/src/demo/render/../../../include/svgpp/document_traversal.hpp:108:61
#3 0x6d742e in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp:🏭:length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp:🏭:color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method >, svgpp::error_policy<svgpp::policy::error::default_policy >, svgpp::markers_policysvgpp::policy::markers::calculate_always, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policysvgpp::policy::viewport::as_transform >::load_document<rapidxml_ns::xml_node const*, Canvas>(rapidxml_ns::xml_node const* const&, Canvas&) /home/zero/Desktop/svgpp-master/src/demo/render/../../../include/svgpp/document_traversal.hpp:97:12
#4 0x6d742e in renderDocument(XMLDocument&, ImageBuffer&) /home/zero/Desktop/svgpp-master/src/demo/render/svgpp_render.cpp:1659:3
#5 0x6d8b32 in main /home/zero/Desktop/svgpp-master/src/demo/render/svgpp_render.cpp:1683:7
#6 0x7fb2c6bd3d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#7 0x606bc9 in _start (/home/zero/Desktop/svgpp-master/src/source/bin/svgpp_agg_render+0x606bc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zero/Desktop/svgpp-master/src/demo/render/../../../third_party/rapidxml_ns/rapidxml_ns.hpp:882:20 in rapidxml_ns::xml_base::local_name() const
==1486083==ABORTING

credit:Cvjark,上帝的玩具

@Kretikus
Copy link

Is this really a security bug?
CVE-2021-44960 is assigned to it.

I could not reproduce this with msvc2022

@svgpp
Copy link
Owner

svgpp commented Sep 29, 2022

I'm not sure, but it seems like empty XML document is handled successfully by parser (no exception is thrown), but xmlDocument.getRoot() returns nullptr.
Regarding security, problem is not in library, but in demo app which isn't intended to be used as is.

@Kretikus
Copy link

Kretikus commented Sep 30, 2022

Thank you for your reply, that makes more sense.

What is the process to get rid of a CVE entry?

@svgpp
Copy link
Owner

svgpp commented Sep 30, 2022

I will try fix the issue

@svgpp
Copy link
Owner

svgpp commented Sep 30, 2022

Fixed in #109

@svgpp svgpp closed this as completed Sep 30, 2022
@Kretikus
Copy link

Kretikus commented Oct 1, 2022

Merci

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants