agambier / libsvg2 Goto Github PK

View Code? Open in Web Editor NEW

24.0 24.0 9.0 94 KB

C Library to parse and render SVG files.

C 93.25% Makefile 6.75%

libsvg2's People

Contributors

Stargazers

Watchers

Forkers

huzhenyuan danielhuang1983 tyrant007 youngerking1985 chagge vincentlao niedong augus518 5433d-r32433

libsvg2's Issues

bug1: a DOS Dead Block BUG

POC:
https://pan.baidu.com/s/1_V7Y8oZt2qBO2QUvlyLZrA

descrtiption:
Dead Block DOS,a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.

ptPathCmd = svgNewPathCommand( g_atPathCommandFormat[ uiCmdIdx ].tId );
uiCmdIdx is always set to 18

const char* svgGetNextPathField( const char *szData, char *szField )
{
 const char *szStart = NULL, *szEnd = NULL;

 if( szData==NULL || szField==NULL )
  return NULL;

 szField[ 0 ] = '\0';

 // FIXME: Make sure that this "M100,100L200,500" will be parsed...

 // Search for the start of the field
 szStart = szData;
 while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
  szStart ++;
 }

 if( *szStart=='\0' )
  return NULL;

 // Search for the end
 szEnd = szStart + 1;
 while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
  szEnd ++;
 }

 strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
 szField[ szEnd - szStart ] = 0;

 return szStart;
}

If None of the branches which can affect the value of szStart, szStart will return the same value which is delivered as a parameter. Unfortunately, a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.

bug2: a stack buffer overflow bug of parse WHICH may lead to RCE

POC:
https://pan.baidu.com/s/1jVZghI-9fabwDuOAs6xAcg
ASAN:
https://pan.baidu.com/s/1WrFXobw05-t1EpJpceZ-gA

Description:
If szEnd can't hit the judge follow in a right range, the coptsize of strncpy may be too large, which will directly cause stack overflow. If the lib is used by a browser, RCE is possible!

const char* svgGetNextPathField( const char *szData, char *szField )
{
 const char *szStart = NULL, *szEnd = NULL;

 if( szData==NULL || szField==NULL )
  return NULL;

 szField[ 0 ] = '\0';

 // FIXME: Make sure that this "M100,100L200,500" will be parsed...

 // Search for the start of the field
 szStart = szData;
 while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
  szStart ++;
 }

 if( *szStart=='\0' )
  return NULL;

 // Search for the end
 szEnd = szStart + 1;
 while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
  szEnd ++;
 }

 strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
 szField[ szEnd - szStart ] = 0;

 return szStart;
}

while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
  szEnd ++;
 }

char *szValue, szField[ 16 ];
szFieldStart = svgGetNextPathField( szFieldStart, szField );

pwndbg> p ptPathCmd
$31 = (svgPathCommand *) 0x313131313131312d

pwndbg> p ptLastPathCmd
$33 = (svgPathCommand *) 0x333233322d333132

saved $rbp and ret addr has been overwriteed, when bypassing the poc crash erro, $ip will be controlled.

debug pic: https://pan.baidu.com/s/1AKFgwFBdQRZZjEdsXb3fWg

bug 3: another stack buffer overflow bug which may lead to RCE

ASAN: https://pan.baidu.com/s/1PkaKUDN5p08FEU0ANflUQg
POC: https://pan.baidu.com/s/1d6txGGMKINmIWWLSVjwORw
EXP: https://pan.baidu.com/s/1S4uNtdBtGmTK5p47BGI8Mg password:i5n2

Description:
A sscanf operation without the check of string length, which may lead to stack over flow. When this lib is used to parse svg by a browser, RCE is possible.

void svgStringToLength( const char *szValue, svgLength *ptLength )
{
 char szUnit[ 8 ] = "";

 if( szValue==NULL || ptLength==NULL )
  return;

 memset( ptLength, 0, sizeof( *ptLength ) );
 sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );

 SVG_DEBUG_PRINTF( "Value %#.4f\n", ptLength->fValue );

 ptLength->tUnit = SVG_LENGTH_UNIT_NONE;
 if( szUnit[ 0 ]=='\0' )
  return;

 if( strcmp( szUnit, "em" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_EM;
 else if( strcmp( szUnit, "ex" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_EX;
 else if( strcmp( szUnit, "in" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_IN;
 else if( strcmp( szUnit, "cm" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_CM;
 else if( strcmp( szUnit, "mm" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_MM;
 else if( strcmp( szUnit, "pt" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PT;
 else if( strcmp( szUnit, "pc" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PC;
 else if( strcmp( szUnit, "%" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PERCENT;
 else if( strcmp( szUnit, "px" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_vfprintf+1524PX;
}

sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );

This call of function doesn't check the string in szValue, which can lead to stack overflow!

debug image: https://pan.baidu.com/s/10dvIlFtXydbwb0egxeXXGg

agambier / libsvg2 Goto Github PK

libsvg2's People

Contributors

Stargazers

Watchers

Forkers

libsvg2's Issues

bug1: a DOS Dead Block BUG

bug2: a stack buffer overflow bug of parse WHICH may lead to RCE

bug 3: another stack buffer overflow bug which may lead to RCE

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent