Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dereference of a High Value Address in plutovg_canvas_fill_path Function #22

Open
mukyuuhate opened this issue Jan 8, 2025 · 1 comment
Open

Dereference of a High Value Address in plutovg_canvas_fill_path Function #22

mukyuuhate opened this issue Jan 8, 2025 · 1 comment

Comments

@mukyuuhate
Copy link

Hello,
I am testing my new fuzz tester which names SuperAFL recently. I found a crash when testing example in this project.

Description

When executing the function, the application crashes due to dereferencing a high value address. Dereferencing a high value address can lead to program crashes, memory corruption, and security vulnerabilities.

Steps to Reproduce

  1. Compile the application.
  2. Run the application using the following command:
    ./svg2png poc
    poc.zip

Expected Behavior

The Expected behavior is to avoid dereferencing high value addresses when executing functions, ensuring that pointers point to valid memory locations to prevent program crashes and other undefined behavior.

Actual Behavior

The application crashes, showing a dereference of a high value address error. Here's the output from AddressSanitizer:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1902738==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000005605b5 bp 0x0000000119e8 sp 0x7ffe9c25d570 T0)
==1902738==The signal is caused by a READ memory access.
==1902738==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x5605b5 in gray_find_cell /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:282:14
    #1 0x5605b5 in gray_record_cell /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:313:21
    #2 0x5605b5 in gray_set_cell /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:356:9
    #3 0x5605b5 in gray_render_line /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:619:5
    #4 0x55fb65 in PVG_FT_Outline_Decompose /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:1364:13
    #5 0x55fb65 in gray_convert_glyph_inner /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:1474:15
    #6 0x55f1ba in gray_convert_glyph /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:1581:17
    #7 0x55f1ba in gray_raster_render /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:1682:12
    #8 0x55e70a in PVG_FT_Raster_Render /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:1694:19
    #9 0x513135 in plutovg_rasterize /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-rasterize.c:375:5
    #10 0x4fa671 in plutovg_canvas_fill_preserve /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-canvas.c:541:5
    #11 0x4fa671 in plutovg_canvas_fill /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-canvas.c:513:5
    #12 0x4fa671 in plutovg_canvas_fill_path /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-canvas.c:584:5
    #13 0x4eac83 in draw_shape /experiment/plutosvg/source/plutosvg.c:1968:9
    #14 0x4d752a in render_path /experiment/plutosvg/source/plutosvg.c:2338:5
    #15 0x4d752a in render_element /experiment/plutosvg/source/plutosvg.c:2537:9
    #16 0x4e60c1 in render_children /experiment/plutosvg/source/plutosvg.c:2549:9
    #17 0x4e60c1 in render_symbol /experiment/plutosvg/source/plutosvg.c:2084:5
    #18 0x4d2ec8 in render_svg /experiment/plutosvg/source/plutosvg.c:2091:9
    #19 0x4d2ec8 in render_element /experiment/plutosvg/source/plutosvg.c:2512:9
    #20 0x4d1be2 in plutosvg_document_render /experiment/plutosvg/source/plutosvg.c:2575:5
    #21 0x4e2f57 in plutosvg_document_render_to_surface /experiment/plutosvg/source/plutosvg.c:2601:9
    #22 0x4c95a5 in main /experiment/plutosvg/examples/svg2png.c:41:15
    #23 0x7fa0e58dc0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #24 0x41d50d in _start (/experiment/plutosvg/san/examples/svg2png+0x41d50d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /experiment/plutosvg/san/_deps/plutovg-src/source/plutovg-ft-raster.c:282:14 in gray_find_cell
==1902738==ABORTING

by,
Hengyu Yang
@sammycage
Copy link
Owner

Hey Hengyu Yang,

Thanks for the detailed report and steps! I tried running the poc file on my machine following your instructions, but it works perfectly for me—no crashes or errors.

Am I missing something? Could you let me know what environment you're using (OS, compiler version, etc.) or if there are any specific build flags or steps you followed? That might help me figure out what’s going on.

Cheers,
Sam

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sammycage @mukyuuhate