You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ ./svgpp_agg_render oob-read.svg out.bmp
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18299==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x561e2dead739 bp 0x7fff45068560 sp 0x7fff45068550 T0)
==18299==The signal is caused by a READ memory access.
==18299==Hint: address points to the zero page.
#0 0x561e2dead738 in agg::row_accessor<unsigned char>::stride() const (/home/luna/tmp/debug/out/svgpp_agg_render+0x1410738)#1 0x561e2de9f6ff in agg::pixfmt_alpha_blend_rgba<agg::blender_rgba<agg::rgba8T<agg::linear>, agg::order_rgba>, agg::row_accessor<unsigned char> >::stride() const (/home/luna/tmp/debug/out/svgpp_agg_render+0x14026ff)#2 0x561e2de7f043 in main /home/ubuntu/svgpp/src/demo/render/svgpp_render.cpp:1709#3 0x7f38956adb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)#4 0x561e2de6c8ed in _start (/home/luna/tmp/debug/out/svgpp_agg_render+0x13cf8ed)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/luna/tmp/debug/out/svgpp_agg_render+0x1410738) in agg::row_accessor<unsigned char>::stride() const
==18299==ABORTING
./svgpp_agg_render oob-read-2.svg out.bmp
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18374==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55c3b0c03bfd bp 0x7fffed9201b0 sp 0x7fffed9201a0 T0)
==18374==The signal is caused by a READ memory access.
==18374==Hint: address points to the zero page.
#0 0x55c3b0c03bfc in rapidxml_ns::xml_base<char>::local_name() const /home/ubuntu/svgpp/src/demo/render/../../../third_party/rapidxml_ns/rapidxml_ns.hpp:882#1 0x55c3b0bf2e5f in svgpp::policy::xml::element_iterator<rapidxml_ns::xml_node<char> const*>::get_local_name(rapidxml_ns::xml_node<char> const*) /home/ubuntu/svgpp/src/demo/render/../../../include/svgpp/policy/xml/rapidxml_ns.hpp:127
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
OS : ubuntu 19.04
commit ID : 1d2f15a
1. A heap-buffer-overflow in svgpp_agg_render
ASAN:
$ ./svgpp_agg_render heap-buffer-overflow.svg out.bmp ================================================================= ==17669==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4b545ff508 at pc 0x564bf3b455a8 bp 0x7ffced74d690 sp 0x7ffced74d680 WRITE of size 4 at 0x7f4b545ff508 thread T0 #0 0x564bf3b455a7 in agg::pixfmt_alpha_blend_rgba<agg::blender_rgba<agg::rgba8T<agg::linear>, agg::order_rgba>, agg::row_accessor<unsigned char> >::copy_hline(int, int, unsigned int, agg::rgba8T<agg::linear> const&) (/home/luna/tmp/debug/out/svgpp_agg_render+0x14105a7) #1 0x564bf3b37667 in agg::renderer_base<agg::pixfmt_alpha_blend_rgba<agg::blender_rgba<agg::rgba8T<agg::linear>, agg::order_rgba>, agg::row_accessor<unsigned char> > >::clear(agg::rgba8T<agg::linear> const&) (/home/luna/tmp/debug/out/svgpp_agg_render+0x1402667) #2 0x564bf3b2b2ed in ImageBuffer::setSize(int, int, agg::rgba8T<agg::linear> const&) (/home/luna/tmp/debug/out/svgpp_agg_render+0x13f62ed) #3 0x564bf3b2d6a0 in Canvas::set_viewport(double, double, double, double) (/home/luna/tmp/debug/out/svgpp_agg_render+0x13f86a0) #4 0x564bf3d41cc4 in void svgpp::policy::viewport_events::forward_to_method<Canvas>::set_viewport<double>(Canvas&, double, double, double, double) (/home/luna/tmp/debug/out/svgpp_agg_render+0x160ccc4) #5 0x564bf3ce4332 in _ZN5svgpp26viewport_transform_adapter12set_viewportIKNS_6detail23adapted_context_wrapperIKNS2_31bind_context_parameters_wrapperI6CanvasN5boost9parameter3aux8arg_listINS_15viewport_policyINS_6policy8viewport12as_transformEEENS9_INS_26attribute_traversal_policyI19attribute_traversalEENS9_INS_14markers_policyINSB_7markers16calculate_alwaysEEENS9_INS_12error_policyINSB_5error14default_policyI8StylableEEEENS9_INS_18path_events_policyINSB_11path_events17forward_to_methodI4PathEEEENS9_INS_23transform_events_policyINSB_16transform_events17forward_to_methodI13TransformableEEEENS9_INS_33document_traversal_control_policyI24DocumentTraversalControlEENS9_INS_11path_policyI11path_policyEENS9_INS_20processed_attributesI20processed_attributesEENS9_INS_18processed_elementsI18processed_elementsEENS9_INS_13color_factoryINS_7factory5color18percentage_adapterI20color_factory_base_tEEEENS9_INS_13length_policyINSB_6length17forward_to_methodIS5_KNS1H_6length8unitlessIddNS_3tag12length_units2mmEEEEEEENS9_INS_17context_factoriesI23child_context_factoriesEENS9_INS_19referencing_elementIvEENS8_14empty_arg_listEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEENS_17transform_adapterIS11_NSB_9transform6matrixES12_dvEENS1S_23transform_events_policyENS10_IS2O_EEEEdEEvRT_T0_S2V_S2V_S2V_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x15af332) #6 0x564bf3c80b88 in _ZNK5svgpp26calculate_viewport_adapterINS_3tag7element3svgEvddE18on_exit_attributesIKNS_6detail23adapted_context_wrapperIKNS6_31bind_context_parameters_wrapperI6CanvasN5boost9parameter3aux8arg_listINS_15viewport_policyINS_6policy8viewport12as_transformEEENSD_INS_26attribute_traversal_policyI19attribute_traversalEENSD_INS_14markers_policyINSF_7markers16calculate_alwaysEEENSD_INS_12error_policyINSF_5error14default_policyI8StylableEEEENSD_INS_18path_events_policyINSF_11path_events17forward_to_methodI4PathEEEENSD_INS_23transform_events_policyINSF_16transform_events17forward_to_methodI13TransformableEEEENSD_INS_33document_traversal_control_policyI24DocumentTraversalControlEENSD_INS_11path_policyI11path_policyEENSD_INS_20processed_attributesI20processed_attributesEENSD_INS_18processed_elementsI18processed_elementsEENSD_INS_13color_factoryINS_7factory5color18percentage_adapterI20color_factory_base_tEEEENSD_INS_13length_policyINSF_6length17forward_to_methodIS9_KNS1L_6length8unitlessIddNS1_12length_units2mmEEEEEEENSD_INS_17context_factoriesI23child_context_factoriesEENSD_INS_19referencing_elementIvEENSC_14empty_arg_listEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEKNS7_IS2N_NS_17transform_adapterIS15_NSF_9transform6matrixES16_dvEENS1_23transform_events_policyENS14_IS2R_EEEENS1_22viewport_events_policyENS_26viewport_transform_adapterEEEEEbRT_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x154bb88) #7 0x564bf3c454fd in _ZN5svgpp6detail24viewport_transform_stateINS_26calculate_viewport_adapterINS_3tag7element3svgEvddEEE18on_exit_attributesIKNS0_31bind_context_parameters_wrapperI6CanvasN5boost9parameter3aux8arg_listINS_15viewport_policyINS_6policy8viewport12as_transformEEENSE_INS_26attribute_traversal_policyI19attribute_traversalEENSE_INS_14markers_policyINSG_7markers16calculate_alwaysEEENSE_INS_12error_policyINSG_5error14default_policyI8StylableEEEENSE_INS_18path_events_policyINSG_11path_events17forward_to_methodI4PathEEEENSE_INS_23transform_events_policyINSG_16transform_events17forward_to_methodI13TransformableEEEENSE_INS_33document_traversal_control_policyI24DocumentTraversalControlEENSE_INS_11path_policyI11path_policyEENSE_INS_20processed_attributesI20processed_attributesEENSE_INS_18processed_elementsI18processed_elementsEENSE_INS_13color_factoryINS_7factory5color18percentage_adapterI20color_factory_base_tEEEENSE_INS_13length_policyINSG_6length17forward_to_methodISA_KNS1M_6length8unitlessIddNS3_12length_units2mmEEEEEEENSE_INS_17context_factoriesI23child_context_factoriesEENSE_INS_19referencing_elementIvEENSD_14empty_arg_listEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEbRT_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x15104fd) #8 0x564bf3c0a96b in bool svgpp::detail::on_exit_attributes_functor<Canvas, svgpp::referencing_element<void>, svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::operator()<svgpp::detail::viewport_transform_state<svgpp::calculate_viewport_adapter<svgpp::tag::element::svg, void, double, double> > >(bool, svgpp::detail::viewport_transform_state<svgpp::calculate_viewport_adapter<svgpp::tag::element::svg, void, double, double> >&) const (/home/luna/tmp/debug/out/svgpp_agg_render+0x14d596b) #9 0x564bf3be3f79 in _ZN5boost6fusion6detail7it_foldINS0_15vector_iteratorINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS5_26calculate_viewport_adapterINS5_3tag7element3svgEvddEEEEEEELi0EEENS_13add_referenceIKbEENS6_26on_exit_attributes_functorI6CanvasJNS5_19referencing_elementIvEENS5_17context_factoriesI23child_context_factoriesEENS5_13length_policyINS5_6policy6length17forward_to_methodISK_KNS5_7factory6length8unitlessIddNS9_12length_units2mmEEEEEEENS5_13color_factoryINSU_5color18percentage_adapterI20color_factory_base_tEEEENS5_18processed_elementsI18processed_elementsEENS5_20processed_attributesI20processed_attributesEENS5_11path_policyI11path_policyEENS5_33document_traversal_control_policyI24DocumentTraversalControlEENS5_23transform_events_policyINSR_16transform_events17forward_to_methodI13TransformableEEEENS5_18path_events_policyINSR_11path_events17forward_to_methodI4PathEEEENS5_12error_policyINSR_5error14default_policyI8StylableEEEENS5_14markers_policyINSR_7markers16calculate_alwaysEEENS5_26attribute_traversal_policyI19attribute_traversalEENS5_15viewport_policyINSR_8viewport12as_transformEEEEEELi1EEENS_16lazy_enable_if_cIXneT2_Li0EENS1_17result_of_it_foldIXT2_ET_T0_T1_vEEE4typeEN4mpl_4int_IXT2_EEERKS2H_NS2I_4typeERS2J_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x14aef79) #10 0x564bf3bc3af6 in _ZN5boost6fusion6detail4foldINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS4_26calculate_viewport_adapterINS4_3tag7element3svgEvddEEEEEEEKbNS5_26on_exit_attributes_functorI6CanvasJNS4_19referencing_elementIvEENS4_17context_factoriesI23child_context_factoriesEENS4_13length_policyINS4_6policy6length17forward_to_methodISG_KNS4_7factory6length8unitlessIddNS8_12length_units2mmEEEEEEENS4_13color_factoryINSQ_5color18percentage_adapterI20color_factory_base_tEEEENS4_18processed_elementsI18processed_elementsEENS4_20processed_attributesI20processed_attributesEENS4_11path_policyI11path_policyEENS4_33document_traversal_control_policyI24DocumentTraversalControlEENS4_23transform_events_policyINSN_16transform_events17forward_to_methodI13TransformableEEEENS4_18path_events_policyINSN_11path_events17forward_to_methodI4PathEEEENS4_12error_policyINSN_5error14default_policyI8StylableEEEENS4_14markers_policyINSN_7markers16calculate_alwaysEEENS4_26attribute_traversal_policyI19attribute_traversalEENS4_15viewport_policyINSN_8viewport12as_transformEEEEEEEENS1_14result_of_foldIT_T0_T1_XsrNS0_6traits11is_sequenceIS2C_EE5valueEXsrNS2F_12is_segmentedIS2C_EE5valueEE4typeERS2C_RS2D_RS2E_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x148eaf6) #11 0x564bf3ba6f4f in _ZN5boost6fusion4foldINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS3_26calculate_viewport_adapterINS3_3tag7element3svgEvddEEEEEEEbNS4_26on_exit_attributes_functorI6CanvasJNS3_19referencing_elementIvEENS3_17context_factoriesI23child_context_factoriesEENS3_13length_policyINS3_6policy6length17forward_to_methodISE_KNS3_7factory6length8unitlessIddNS7_12length_units2mmEEEEEEENS3_13color_factoryINSO_5color18percentage_adapterI20color_factory_base_tEEEENS3_18processed_elementsI18processed_elementsEENS3_20processed_attributesI20processed_attributesEENS3_11path_policyI11path_policyEENS3_33document_traversal_control_policyI24DocumentTraversalControlEENS3_23transform_events_policyINSL_16transform_events17forward_to_methodI13TransformableEEEENS3_18path_events_policyINSL_11path_events17forward_to_methodI4PathEEEENS3_12error_policyINSL_5error14default_policyI8StylableEEEENS3_14markers_policyINSL_7markers16calculate_alwaysEEENS3_26attribute_traversal_policyI19attribute_traversalEENS3_15viewport_policyINSL_8viewport12as_transformEEEEEEEENS0_9result_of4foldIT_KT0_T1_E4typeERS2B_RS2D_S2E_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x1471f4f) #12 0x564bf3b95810 in _ZN5boost6fusion10accumulateINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS3_26calculate_viewport_adapterINS3_3tag7element3svgEvddEEEEEEEbNS4_26on_exit_attributes_functorI6CanvasJNS3_19referencing_elementIvEENS3_17context_factoriesI23child_context_factoriesEENS3_13length_policyINS3_6policy6length17forward_to_methodISE_KNS3_7factory6length8unitlessIddNS7_12length_units2mmEEEEEEENS3_13color_factoryINSO_5color18percentage_adapterI20color_factory_base_tEEEENS3_18processed_elementsI18processed_elementsEENS3_20processed_attributesI20processed_attributesEENS3_11path_policyI11path_policyEENS3_33document_traversal_control_policyI24DocumentTraversalControlEENS3_23transform_events_policyINSL_16transform_events17forward_to_methodI13TransformableEEEENS3_18path_events_policyINSL_11path_events17forward_to_methodI4PathEEEENS3_12error_policyINSL_5error14default_policyI8StylableEEEENS3_14markers_policyINSL_7markers16calculate_alwaysEEENS3_26attribute_traversal_policyI19attribute_traversalEENS3_15viewport_policyINSL_8viewport12as_transformEEEEEEEENS0_9result_of10accumulateIT_KT0_T1_E4typeERS2B_RS2D_S2E_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x1460810) #13 0x564bf3b81846 in svgpp::detail::viewport_attribute_dispatcher<svgpp::tag::element::svg, Canvas, svgpp::referencing_element<void>, svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::on_exit_attributes() (/home/luna/tmp/debug/out/svgpp_agg_render+0x144c846) #14 0x564bf3b704bc in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::load_attributes<void, rapidxml_ns::xml_node<char> const*, Canvas, svgpp::tag::element::svg>(rapidxml_ns::xml_node<char> const* const&, Canvas&, svgpp::tag::element::svg) (/home/luna/tmp/debug/out/svgpp_agg_render+0x143b4bc) #15 0x564bf3b5f548 in _ZN5svgpp18document_traversalIJNS_17context_factoriesI23child_context_factoriesEENS_13length_policyINS_6policy6length17forward_to_methodI6CanvasKNS_7factory6length8unitlessIddNS_3tag12length_units2mmEEEEEEENS_13color_factoryINS9_5color18percentage_adapterI20color_factory_base_tEEEENS_18processed_elementsI18processed_elementsEENS_20processed_attributesI20processed_attributesEENS_11path_policyI11path_policyEENS_33document_traversal_control_policyI24DocumentTraversalControlEENS_23transform_events_policyINS5_16transform_events17forward_to_methodI13TransformableEEEENS_18path_events_policyINS5_11path_events17forward_to_methodI4PathEEEENS_12error_policyINS5_5error14default_policyI8StylableEEEENS_14markers_policyINS5_7markers16calculate_alwaysEEENS_26attribute_traversal_policyI19attribute_traversalEENS_15viewport_policyINS5_8viewport12as_transformEEEEE12load_elementIN5boost3mpl6s_itemINSC_7element14linearGradientENS1Y_INS1Z_14radialGradientENS1Y_INS1Z_4defsENS1Y_INS1Z_1gENS1Y_INS1Z_3svgENS1Y_INS1Z_6symbolENS1Y_INS1Z_4use_ENS1Y_INS1Z_6circleENS1Y_INS1Z_7ellipseENS1Y_INS1Z_4lineENS1Y_INS1Z_4pathENS1Y_INS1Z_7polygonENS1Y_INS1Z_8polylineENS1Y_INS1Z_4rectENS1Y_INS1Z_4descENS1Y_INS1Z_8metadataENS1Y_INS1Z_5titleENS1Y_INS1Z_7animateENS1Y_INS1Z_12animateColorENS1Y_INS1Z_13animateMotionENS1Y_INS1Z_16animateTransformENS1Y_INS1Z_3setENS1Y_INS1Z_4viewENS1Y_INS1Z_4textENS1Y_INS1Z_7switch_ENS1Y_INS1Z_5styleENS1Y_INS1Z_6scriptENS1Y_INS1Z_7patternENS1Y_INS1Z_4maskENS1Y_INS1Z_6markerENS1Y_INS1Z_5imageENS1Y_INS1Z_13foreignObjectENS1Y_INS1Z_9font_faceENS1Y_INS1Z_4fontENS1Y_INS1Z_6filterENS1Y_INS1Z_6cursorENS1Y_INS1Z_13color_profileENS1Y_INS1Z_8clipPathENS1Y_INS1Z_11altGlyphDefENS1Y_INS1Z_1aENS1X_4set0IN4mpl_2naEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEvPKN11rapidxml_ns8xml_nodeIcEES8_S24_EEbRKT1_RT2_T3_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x142a548) #16 0x564bf3b4e50a in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::load_expected_element<rapidxml_ns::xml_node<char> const*, Canvas, svgpp::tag::element::svg>(rapidxml_ns::xml_node<char> const* const&, Canvas&, svgpp::tag::element::svg) (/home/luna/tmp/debug/out/svgpp_agg_render+0x141950a) #17 0x564bf3b3e3ee in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::load_document<rapidxml_ns::xml_node<char> const*, Canvas>(rapidxml_ns::xml_node<char> const* const&, Canvas&) (/home/luna/tmp/debug/out/svgpp_agg_render+0x14093ee) #18 0x564bf3b16d13 in renderDocument(XMLDocument&, ImageBuffer&) /home/ubuntu/svgpp/src/demo/render/svgpp_render.cpp:1659 #19 0x564bf3b16fe0 in main /home/ubuntu/svgpp/src/demo/render/svgpp_render.cpp:1683 #20 0x7f4b57a56b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a) #21 0x564bf3b048ed in _start (/home/luna/tmp/debug/out/svgpp_agg_render+0x13cf8ed) 0x7f4b545ff508 is located 0 bytes to the right of 899788040-byte region [0x7f4b1ebe4800,0x7f4b545ff508) allocated by thread T0 here: #0 0x7f4b5807317f in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10e17f) #1 0x564bf3b7536a in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114 #2 0x564bf3b65980 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:444 #3 0x564bf3b56d0b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343 #4 0x564bf3b44e14 in std::vector<unsigned char, std::allocator<unsigned char> >::_M_default_append(unsigned long) (/home/luna/tmp/debug/out/svgpp_agg_render+0x140fe14) #5 0x564bf3b372ee in std::vector<unsigned char, std::allocator<unsigned char> >::resize(unsigned long) (/home/luna/tmp/debug/out/svgpp_agg_render+0x14022ee) #6 0x564bf3b2b239 in ImageBuffer::setSize(int, int, agg::rgba8T<agg::linear> const&) (/home/luna/tmp/debug/out/svgpp_agg_render+0x13f6239) #7 0x564bf3b2d6a0 in Canvas::set_viewport(double, double, double, double) (/home/luna/tmp/debug/out/svgpp_agg_render+0x13f86a0) #8 0x564bf3d41cc4 in void svgpp::policy::viewport_events::forward_to_method<Canvas>::set_viewport<double>(Canvas&, double, double, double, double) (/home/luna/tmp/debug/out/svgpp_agg_render+0x160ccc4) #9 0x564bf3ce4332 in _ZN5svgpp26viewport_transform_adapter12set_viewportIKNS_6detail23adapted_context_wrapperIKNS2_31bind_context_parameters_wrapperI6CanvasN5boost9parameter3aux8arg_listINS_15viewport_policyINS_6policy8viewport12as_transformEEENS9_INS_26attribute_traversal_policyI19attribute_traversalEENS9_INS_14markers_policyINSB_7markers16calculate_alwaysEEENS9_INS_12error_policyINSB_5error14default_policyI8StylableEEEENS9_INS_18path_events_policyINSB_11path_events17forward_to_methodI4PathEEEENS9_INS_23transform_events_policyINSB_16transform_events17forward_to_methodI13TransformableEEEENS9_INS_33document_traversal_control_policyI24DocumentTraversalControlEENS9_INS_11path_policyI11path_policyEENS9_INS_20processed_attributesI20processed_attributesEENS9_INS_18processed_elementsI18processed_elementsEENS9_INS_13color_factoryINS_7factory5color18percentage_adapterI20color_factory_base_tEEEENS9_INS_13length_policyINSB_6length17forward_to_methodIS5_KNS1H_6length8unitlessIddNS_3tag12length_units2mmEEEEEEENS9_INS_17context_factoriesI23child_context_factoriesEENS9_INS_19referencing_elementIvEENS8_14empty_arg_listEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEENS_17transform_adapterIS11_NSB_9transform6matrixES12_dvEENS1S_23transform_events_policyENS10_IS2O_EEEEdEEvRT_T0_S2V_S2V_S2V_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x15af332) #10 0x564bf3c80b88 in _ZNK5svgpp26calculate_viewport_adapterINS_3tag7element3svgEvddE18on_exit_attributesIKNS_6detail23adapted_context_wrapperIKNS6_31bind_context_parameters_wrapperI6CanvasN5boost9parameter3aux8arg_listINS_15viewport_policyINS_6policy8viewport12as_transformEEENSD_INS_26attribute_traversal_policyI19attribute_traversalEENSD_INS_14markers_policyINSF_7markers16calculate_alwaysEEENSD_INS_12error_policyINSF_5error14default_policyI8StylableEEEENSD_INS_18path_events_policyINSF_11path_events17forward_to_methodI4PathEEEENSD_INS_23transform_events_policyINSF_16transform_events17forward_to_methodI13TransformableEEEENSD_INS_33document_traversal_control_policyI24DocumentTraversalControlEENSD_INS_11path_policyI11path_policyEENSD_INS_20processed_attributesI20processed_attributesEENSD_INS_18processed_elementsI18processed_elementsEENSD_INS_13color_factoryINS_7factory5color18percentage_adapterI20color_factory_base_tEEEENSD_INS_13length_policyINSF_6length17forward_to_methodIS9_KNS1L_6length8unitlessIddNS1_12length_units2mmEEEEEEENSD_INS_17context_factoriesI23child_context_factoriesEENSD_INS_19referencing_elementIvEENSC_14empty_arg_listEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEKNS7_IS2N_NS_17transform_adapterIS15_NSF_9transform6matrixES16_dvEENS1_23transform_events_policyENS14_IS2R_EEEENS1_22viewport_events_policyENS_26viewport_transform_adapterEEEEEbRT_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x154bb88) #11 0x564bf3c454fd in _ZN5svgpp6detail24viewport_transform_stateINS_26calculate_viewport_adapterINS_3tag7element3svgEvddEEE18on_exit_attributesIKNS0_31bind_context_parameters_wrapperI6CanvasN5boost9parameter3aux8arg_listINS_15viewport_policyINS_6policy8viewport12as_transformEEENSE_INS_26attribute_traversal_policyI19attribute_traversalEENSE_INS_14markers_policyINSG_7markers16calculate_alwaysEEENSE_INS_12error_policyINSG_5error14default_policyI8StylableEEEENSE_INS_18path_events_policyINSG_11path_events17forward_to_methodI4PathEEEENSE_INS_23transform_events_policyINSG_16transform_events17forward_to_methodI13TransformableEEEENSE_INS_33document_traversal_control_policyI24DocumentTraversalControlEENSE_INS_11path_policyI11path_policyEENSE_INS_20processed_attributesI20processed_attributesEENSE_INS_18processed_elementsI18processed_elementsEENSE_INS_13color_factoryINS_7factory5color18percentage_adapterI20color_factory_base_tEEEENSE_INS_13length_policyINSG_6length17forward_to_methodISA_KNS1M_6length8unitlessIddNS3_12length_units2mmEEEEEEENSE_INS_17context_factoriesI23child_context_factoriesEENSE_INS_19referencing_elementIvEENSD_14empty_arg_listEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEbRT_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x15104fd) #12 0x564bf3c0a96b in bool svgpp::detail::on_exit_attributes_functor<Canvas, svgpp::referencing_element<void>, svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::operator()<svgpp::detail::viewport_transform_state<svgpp::calculate_viewport_adapter<svgpp::tag::element::svg, void, double, double> > >(bool, svgpp::detail::viewport_transform_state<svgpp::calculate_viewport_adapter<svgpp::tag::element::svg, void, double, double> >&) const (/home/luna/tmp/debug/out/svgpp_agg_render+0x14d596b) #13 0x564bf3be3f79 in _ZN5boost6fusion6detail7it_foldINS0_15vector_iteratorINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS5_26calculate_viewport_adapterINS5_3tag7element3svgEvddEEEEEEELi0EEENS_13add_referenceIKbEENS6_26on_exit_attributes_functorI6CanvasJNS5_19referencing_elementIvEENS5_17context_factoriesI23child_context_factoriesEENS5_13length_policyINS5_6policy6length17forward_to_methodISK_KNS5_7factory6length8unitlessIddNS9_12length_units2mmEEEEEEENS5_13color_factoryINSU_5color18percentage_adapterI20color_factory_base_tEEEENS5_18processed_elementsI18processed_elementsEENS5_20processed_attributesI20processed_attributesEENS5_11path_policyI11path_policyEENS5_33document_traversal_control_policyI24DocumentTraversalControlEENS5_23transform_events_policyINSR_16transform_events17forward_to_methodI13TransformableEEEENS5_18path_events_policyINSR_11path_events17forward_to_methodI4PathEEEENS5_12error_policyINSR_5error14default_policyI8StylableEEEENS5_14markers_policyINSR_7markers16calculate_alwaysEEENS5_26attribute_traversal_policyI19attribute_traversalEENS5_15viewport_policyINSR_8viewport12as_transformEEEEEELi1EEENS_16lazy_enable_if_cIXneT2_Li0EENS1_17result_of_it_foldIXT2_ET_T0_T1_vEEE4typeEN4mpl_4int_IXT2_EEERKS2H_NS2I_4typeERS2J_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x14aef79) #14 0x564bf3bc3af6 in _ZN5boost6fusion6detail4foldINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS4_26calculate_viewport_adapterINS4_3tag7element3svgEvddEEEEEEEKbNS5_26on_exit_attributes_functorI6CanvasJNS4_19referencing_elementIvEENS4_17context_factoriesI23child_context_factoriesEENS4_13length_policyINS4_6policy6length17forward_to_methodISG_KNS4_7factory6length8unitlessIddNS8_12length_units2mmEEEEEEENS4_13color_factoryINSQ_5color18percentage_adapterI20color_factory_base_tEEEENS4_18processed_elementsI18processed_elementsEENS4_20processed_attributesI20processed_attributesEENS4_11path_policyI11path_policyEENS4_33document_traversal_control_policyI24DocumentTraversalControlEENS4_23transform_events_policyINSN_16transform_events17forward_to_methodI13TransformableEEEENS4_18path_events_policyINSN_11path_events17forward_to_methodI4PathEEEENS4_12error_policyINSN_5error14default_policyI8StylableEEEENS4_14markers_policyINSN_7markers16calculate_alwaysEEENS4_26attribute_traversal_policyI19attribute_traversalEENS4_15viewport_policyINSN_8viewport12as_transformEEEEEEEENS1_14result_of_foldIT_T0_T1_XsrNS0_6traits11is_sequenceIS2C_EE5valueEXsrNS2F_12is_segmentedIS2C_EE5valueEE4typeERS2C_RS2D_RS2E_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x148eaf6) #15 0x564bf3ba6f4f in _ZN5boost6fusion4foldINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS3_26calculate_viewport_adapterINS3_3tag7element3svgEvddEEEEEEEbNS4_26on_exit_attributes_functorI6CanvasJNS3_19referencing_elementIvEENS3_17context_factoriesI23child_context_factoriesEENS3_13length_policyINS3_6policy6length17forward_to_methodISE_KNS3_7factory6length8unitlessIddNS7_12length_units2mmEEEEEEENS3_13color_factoryINSO_5color18percentage_adapterI20color_factory_base_tEEEENS3_18processed_elementsI18processed_elementsEENS3_20processed_attributesI20processed_attributesEENS3_11path_policyI11path_policyEENS3_33document_traversal_control_policyI24DocumentTraversalControlEENS3_23transform_events_policyINSL_16transform_events17forward_to_methodI13TransformableEEEENS3_18path_events_policyINSL_11path_events17forward_to_methodI4PathEEEENS3_12error_policyINSL_5error14default_policyI8StylableEEEENS3_14markers_policyINSL_7markers16calculate_alwaysEEENS3_26attribute_traversal_policyI19attribute_traversalEENS3_15viewport_policyINSL_8viewport12as_transformEEEEEEEENS0_9result_of4foldIT_KT0_T1_E4typeERS2B_RS2D_S2E_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x1471f4f) #16 0x564bf3b95810 in _ZN5boost6fusion10accumulateINS0_6vectorIJN5svgpp6detail24viewport_transform_stateINS3_26calculate_viewport_adapterINS3_3tag7element3svgEvddEEEEEEEbNS4_26on_exit_attributes_functorI6CanvasJNS3_19referencing_elementIvEENS3_17context_factoriesI23child_context_factoriesEENS3_13length_policyINS3_6policy6length17forward_to_methodISE_KNS3_7factory6length8unitlessIddNS7_12length_units2mmEEEEEEENS3_13color_factoryINSO_5color18percentage_adapterI20color_factory_base_tEEEENS3_18processed_elementsI18processed_elementsEENS3_20processed_attributesI20processed_attributesEENS3_11path_policyI11path_policyEENS3_33document_traversal_control_policyI24DocumentTraversalControlEENS3_23transform_events_policyINSL_16transform_events17forward_to_methodI13TransformableEEEENS3_18path_events_policyINSL_11path_events17forward_to_methodI4PathEEEENS3_12error_policyINSL_5error14default_policyI8StylableEEEENS3_14markers_policyINSL_7markers16calculate_alwaysEEENS3_26attribute_traversal_policyI19attribute_traversalEENS3_15viewport_policyINSL_8viewport12as_transformEEEEEEEENS0_9result_of10accumulateIT_KT0_T1_E4typeERS2B_RS2D_S2E_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x1460810) #17 0x564bf3b81846 in svgpp::detail::viewport_attribute_dispatcher<svgpp::tag::element::svg, Canvas, svgpp::referencing_element<void>, svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::on_exit_attributes() (/home/luna/tmp/debug/out/svgpp_agg_render+0x144c846) #18 0x564bf3b704bc in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::load_attributes<void, rapidxml_ns::xml_node<char> const*, Canvas, svgpp::tag::element::svg>(rapidxml_ns::xml_node<char> const* const&, Canvas&, svgpp::tag::element::svg) (/home/luna/tmp/debug/out/svgpp_agg_render+0x143b4bc) #19 0x564bf3b5f548 in _ZN5svgpp18document_traversalIJNS_17context_factoriesI23child_context_factoriesEENS_13length_policyINS_6policy6length17forward_to_methodI6CanvasKNS_7factory6length8unitlessIddNS_3tag12length_units2mmEEEEEEENS_13color_factoryINS9_5color18percentage_adapterI20color_factory_base_tEEEENS_18processed_elementsI18processed_elementsEENS_20processed_attributesI20processed_attributesEENS_11path_policyI11path_policyEENS_33document_traversal_control_policyI24DocumentTraversalControlEENS_23transform_events_policyINS5_16transform_events17forward_to_methodI13TransformableEEEENS_18path_events_policyINS5_11path_events17forward_to_methodI4PathEEEENS_12error_policyINS5_5error14default_policyI8StylableEEEENS_14markers_policyINS5_7markers16calculate_alwaysEEENS_26attribute_traversal_policyI19attribute_traversalEENS_15viewport_policyINS5_8viewport12as_transformEEEEE12load_elementIN5boost3mpl6s_itemINSC_7element14linearGradientENS1Y_INS1Z_14radialGradientENS1Y_INS1Z_4defsENS1Y_INS1Z_1gENS1Y_INS1Z_3svgENS1Y_INS1Z_6symbolENS1Y_INS1Z_4use_ENS1Y_INS1Z_6circleENS1Y_INS1Z_7ellipseENS1Y_INS1Z_4lineENS1Y_INS1Z_4pathENS1Y_INS1Z_7polygonENS1Y_INS1Z_8polylineENS1Y_INS1Z_4rectENS1Y_INS1Z_4descENS1Y_INS1Z_8metadataENS1Y_INS1Z_5titleENS1Y_INS1Z_7animateENS1Y_INS1Z_12animateColorENS1Y_INS1Z_13animateMotionENS1Y_INS1Z_16animateTransformENS1Y_INS1Z_3setENS1Y_INS1Z_4viewENS1Y_INS1Z_4textENS1Y_INS1Z_7switch_ENS1Y_INS1Z_5styleENS1Y_INS1Z_6scriptENS1Y_INS1Z_7patternENS1Y_INS1Z_4maskENS1Y_INS1Z_6markerENS1Y_INS1Z_5imageENS1Y_INS1Z_13foreignObjectENS1Y_INS1Z_9font_faceENS1Y_INS1Z_4fontENS1Y_INS1Z_6filterENS1Y_INS1Z_6cursorENS1Y_INS1Z_13color_profileENS1Y_INS1Z_8clipPathENS1Y_INS1Z_11altGlyphDefENS1Y_INS1Z_1aENS1X_4set0IN4mpl_2naEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEvPKN11rapidxml_ns8xml_nodeIcEES8_S24_EEbRKT1_RT2_T3_ (/home/luna/tmp/debug/out/svgpp_agg_render+0x142a548) #20 0x564bf3b4e50a in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::load_expected_element<rapidxml_ns::xml_node<char> const*, Canvas, svgpp::tag::element::svg>(rapidxml_ns::xml_node<char> const* const&, Canvas&, svgpp::tag::element::svg) (/home/luna/tmp/debug/out/svgpp_agg_render+0x141950a) #21 0x564bf3b3e3ee in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp::factory::length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp::factory::color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy<DocumentTraversalControl>, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method<Transformable> >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method<Path> >, svgpp::error_policy<svgpp::policy::error::default_policy<Stylable> >, svgpp::markers_policy<svgpp::policy::markers::calculate_always>, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policy<svgpp::policy::viewport::as_transform> >::load_document<rapidxml_ns::xml_node<char> const*, Canvas>(rapidxml_ns::xml_node<char> const* const&, Canvas&) (/home/luna/tmp/debug/out/svgpp_agg_render+0x14093ee) #22 0x564bf3b16d13 in renderDocument(XMLDocument&, ImageBuffer&) /home/ubuntu/svgpp/src/demo/render/svgpp_render.cpp:1659 #23 0x564bf3b16fe0 in main /home/ubuntu/svgpp/src/demo/render/svgpp_render.cpp:1683 #24 0x7f4b57a56b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/luna/tmp/debug/out/svgpp_agg_render+0x14105a7) in agg::pixfmt_alpha_blend_rgba<agg::blender_rgba<agg::rgba8T<agg::linear>, agg::order_rgba>, agg::row_accessor<unsigned char> >::copy_hline(int, int, unsigned int, agg::rgba8T<agg::linear> const&) Shadow bytes around the buggy address: 0x0fe9ea8b7e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9ea8b7e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9ea8b7e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9ea8b7e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9ea8b7e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe9ea8b7ea0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9ea8b7eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9ea8b7ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9ea8b7ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9ea8b7ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9ea8b7ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==17669==ABORTINGPOC :
https://github.com/Taolaw/POC/blob/master/svgpp/heap-buffer-overflow.svg
2. oob-read in svgpp_agg_render
ASAN :
$ ./svgpp_agg_render oob-read.svg out.bmp AddressSanitizer:DEADLYSIGNAL ================================================================= ==18299==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x561e2dead739 bp 0x7fff45068560 sp 0x7fff45068550 T0) ==18299==The signal is caused by a READ memory access. ==18299==Hint: address points to the zero page. #0 0x561e2dead738 in agg::row_accessor<unsigned char>::stride() const (/home/luna/tmp/debug/out/svgpp_agg_render+0x1410738) #1 0x561e2de9f6ff in agg::pixfmt_alpha_blend_rgba<agg::blender_rgba<agg::rgba8T<agg::linear>, agg::order_rgba>, agg::row_accessor<unsigned char> >::stride() const (/home/luna/tmp/debug/out/svgpp_agg_render+0x14026ff) #2 0x561e2de7f043 in main /home/ubuntu/svgpp/src/demo/render/svgpp_render.cpp:1709 #3 0x7f38956adb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a) #4 0x561e2de6c8ed in _start (/home/luna/tmp/debug/out/svgpp_agg_render+0x13cf8ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/luna/tmp/debug/out/svgpp_agg_render+0x1410738) in agg::row_accessor<unsigned char>::stride() const ==18299==ABORTINGPOC :
https://github.com/Taolaw/POC/blob/master/svgpp/oob-read.svg
3. oob-read-2 in svgpp_agg_render
ASAN :
./svgpp_agg_render oob-read-2.svg out.bmp AddressSanitizer:DEADLYSIGNAL ================================================================= ==18374==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55c3b0c03bfd bp 0x7fffed9201b0 sp 0x7fffed9201a0 T0) ==18374==The signal is caused by a READ memory access. ==18374==Hint: address points to the zero page. #0 0x55c3b0c03bfc in rapidxml_ns::xml_base<char>::local_name() const /home/ubuntu/svgpp/src/demo/render/../../../third_party/rapidxml_ns/rapidxml_ns.hpp:882 #1 0x55c3b0bf2e5f in svgpp::policy::xml::element_iterator<rapidxml_ns::xml_node<char> const*>::get_local_name(rapidxml_ns::xml_node<char> const*) /home/ubuntu/svgpp/src/demo/render/../../../include/svgpp/policy/xml/rapidxml_ns.hpp:127 AddressSanitizer:DEADLYSIGNAL AddressSanitizer: nested bug in the same thread, aborting.POC :
https://github.com/Taolaw/POC/blob/master/svgpp/oob-read-2.svg
The text was updated successfully, but these errors were encountered: