agambier / libsvg2 Goto Github PK
View Code? Open in Web Editor NEWC Library to parse and render SVG files.
C Library to parse and render SVG files.
POC:
https://pan.baidu.com/s/1_V7Y8oZt2qBO2QUvlyLZrA
descrtiption:
Dead Block DOS,a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.
ptPathCmd = svgNewPathCommand( g_atPathCommandFormat[ uiCmdIdx ].tId );
uiCmdIdx is always set to 18
const char* svgGetNextPathField( const char *szData, char *szField )
{
const char *szStart = NULL, *szEnd = NULL;
if( szData==NULL || szField==NULL )
return NULL;
szField[ 0 ] = '\0';
// FIXME: Make sure that this "M100,100L200,500" will be parsed...
// Search for the start of the field
szStart = szData;
while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
szStart ++;
}
if( *szStart=='\0' )
return NULL;
// Search for the end
szEnd = szStart + 1;
while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
szEnd ++;
}
strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
szField[ szEnd - szStart ] = 0;
return szStart;
}
If None of the branches which can affect the value of szStart, szStart will return the same value which is delivered as a parameter. Unfortunately, a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.
POC:
https://pan.baidu.com/s/1jVZghI-9fabwDuOAs6xAcg
ASAN:
https://pan.baidu.com/s/1WrFXobw05-t1EpJpceZ-gA
Description:
If szEnd can't hit the judge follow in a right range, the coptsize of strncpy may be too large, which will directly cause stack overflow. If the lib is used by a browser, RCE is possible!
const char* svgGetNextPathField( const char *szData, char *szField )
{
const char *szStart = NULL, *szEnd = NULL;
if( szData==NULL || szField==NULL )
return NULL;
szField[ 0 ] = '\0';
// FIXME: Make sure that this "M100,100L200,500" will be parsed...
// Search for the start of the field
szStart = szData;
while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
szStart ++;
}
if( *szStart=='\0' )
return NULL;
// Search for the end
szEnd = szStart + 1;
while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
szEnd ++;
}
strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
szField[ szEnd - szStart ] = 0;
return szStart;
}
while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
szEnd ++;
}
char *szValue, szField[ 16 ];
szFieldStart = svgGetNextPathField( szFieldStart, szField );
pwndbg> p ptPathCmd
$31 = (svgPathCommand *) 0x313131313131312d
pwndbg> p ptLastPathCmd
$33 = (svgPathCommand *) 0x333233322d333132
saved $rbp and ret addr has been overwriteed, when bypassing the poc crash erro, $ip will be controlled.
ASAN: https://pan.baidu.com/s/1PkaKUDN5p08FEU0ANflUQg
POC: https://pan.baidu.com/s/1d6txGGMKINmIWWLSVjwORw
EXP: https://pan.baidu.com/s/1S4uNtdBtGmTK5p47BGI8Mg password:i5n2
Description:
A sscanf operation without the check of string length, which may lead to stack over flow. When this lib is used to parse svg by a browser, RCE is possible.
void svgStringToLength( const char *szValue, svgLength *ptLength )
{
char szUnit[ 8 ] = "";
if( szValue==NULL || ptLength==NULL )
return;
memset( ptLength, 0, sizeof( *ptLength ) );
sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );
SVG_DEBUG_PRINTF( "Value %#.4f\n", ptLength->fValue );
ptLength->tUnit = SVG_LENGTH_UNIT_NONE;
if( szUnit[ 0 ]=='\0' )
return;
if( strcmp( szUnit, "em" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_EM;
else if( strcmp( szUnit, "ex" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_EX;
else if( strcmp( szUnit, "in" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_IN;
else if( strcmp( szUnit, "cm" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_CM;
else if( strcmp( szUnit, "mm" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_MM;
else if( strcmp( szUnit, "pt" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_PT;
else if( strcmp( szUnit, "pc" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_PC;
else if( strcmp( szUnit, "%" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_PERCENT;
else if( strcmp( szUnit, "px" )==0 )
ptLength->tUnit = SVG_LENGTH_UNIT_vfprintf+1524PX;
}
sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );
This call of function doesn't check the string in szValue, which can lead to stack overflow!
debug image: https://pan.baidu.com/s/10dvIlFtXydbwb0egxeXXGg
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.