lieff / lvg Goto Github PK
View Code? Open in Web Editor NEWLion Vector Graphics
License: Creative Commons Zero v1.0 Universal
Lion Vector Graphics
License: Creative Commons Zero v1.0 Universal
Hi team,
Some crashes were found while fuzz testing of the lvg_test binary which can be triggered via malformed LVG and SWF files. Although these malformed files only crash the program, they could potentially be crafted further into security issues where these kinds of files would be able compromise the process's memory through memory corruption, so hardening the code to prevent these kinds of bugs would be great to mitigate such issues.
See details below for repro and debug information.
Repro
crash.lvg.txt
$ lvg_test crash.lvg
Segmentation fault (core dumped)
$ gdb -q lvg_test
Reading symbols from lvg_test...
(No debugging symbols found in lvg_test)
(gdb) r crash.lvg
Starting program: lvg_test crash.lvg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x000055555558710c in ?? ()
(gdb) bt
#0 0x000055555558710c in ()
#1 0x00000006555bdb88 in ()
#2 0x00007fffefb5a000 in ()
#3 0x0000000000000000 in ()
(gdb) i r
rax 0x0 0
rbx 0x800005b5b7a1 140737584150433
rcx 0x7fffefb5a000 140737215045632
rdx 0x6 6
rsi 0x55555558e285 93824992469637
rdi 0x7fffefb859f4 140737215224308
rbp 0x7fffefb859c6 0x7fffefb859c6
rsp 0x7fffffffe140 0x7fffffffe140
r8 0x7fffffffe298 140737488347800
r9 0x1 1
r10 0x5555555badf0 93824992652784
r11 0x6 6
r12 0x0 0
r13 0x6 6
r14 0x0 0
r15 0x55555558e285 93824992469637
rip 0x55555558710c 0x55555558710c
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
=> 0x55555558710c: cmpl $0x4034b50,(%rbx)
(gdb) exploitable
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: 74993a72678549a3afd2dedf9f67d2c5.74993a72678549a3afd2dedf9f67d2c5
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: AccessViolation (21/22)
Repro
crash.swf.txt
$ lvg_test crash.swf
free(): invalid next size (fast)
Aborted (core dumped)
$ gdb -q lvg_test
Reading symbols from lvg_test...
(No debugging symbols found in lvg_test)
(gdb) r crash.swf
Starting program: lvg_test crash.swf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
free(): invalid next size (fast)
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7dd5859 in __GI_abort () at abort.c:79
#2 0x00007ffff7e403ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f6a285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7e4847c in malloc_printerr (str=str@entry=0x7ffff7f6c600 "free(): invalid next size (fast)") at malloc.c:5347
#4 0x00007ffff7e49d2c in _int_free (av=0x7ffff7f9bb80 <main_arena>, p=0x5555555bb4b0, have_lock=0) at malloc.c:4249
#5 0x0000555555586c3b in ()
#6 0x00007fffffffe298 in ()
#7 0x0000000000000176 in ()
#8 0x0000000000000000 in ()
(gdb) i r
rax 0x0 0
rbx 0x7fffefb8be40 140737215249984
rcx 0x7ffff7df618b 140737351999883
rdx 0x0 0
rsi 0x7fffffffddc0 140737488346560
rdi 0x2 2
rbp 0x7fffffffe110 0x7fffffffe110
rsp 0x7fffffffddc0 0x7fffffffddc0
r8 0x0 0
r9 0x7fffffffddc0 140737488346560
r10 0x8 8
r11 0x246 582
r12 0x7fffffffe030 140737488347184
r13 0x10 16
r14 0x7ffff7ffb000 140737354117120
r15 0x1 1
rip 0x7ffff7df618b 0x7ffff7df618b <__GI_raise+203>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
=> 0x7ffff7df618b <__GI_raise+203>: mov 0x108(%rsp),%rax
(gdb) exploitable
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: 75e3432b00f849a15e4751fc016bf27b.2d530e50f9061d0333ac98fc1ba1d5f2
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: HeapError (10/22), AbortSignal (20/22)
tcc:
tcc needs heavy modifications for web, needs modifications to sandbox file io, ABI issues.
picoc:
picoc do not supports floats (only doubles), function pointers, slow.
Possible alternatives:
Ideally we need script->bytecode translator (reuse AVM1?), so player needs support only bytecode, easy sandbox, normal speed, compiler fixes do not affects already installed players.
Useful links:
https://github.com/r-lyeh-archived/scriptorium
https://github.com/dbohdan/embedded-scripting-languages
This is a neat endeavor! But how does the future plans look like?
Btw. in the section Interesting graphics libraries in readme I couldn't find the most advanced (yet very lightweight) library as of now: Blend2D (quality superior to even Antigrain; performance close to theoretical limit; ARM support is still alpha/beta though).
I wonder whether a site similar to https://vidkidz.github.io/ would help users to test LVG and report issues with it.
Many thanks for your excellent work.
Want to be able to build the interface in SVG and bind events intervally...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.