[BZ#787796] Fuzz: Crash with circle with large numerical "r" attribute
Submitted by Ossi Herrala
Link to original bug (#787796)
Description
Created attachment 359938 Mutated SVG file
Librsvg crashes with a mutated SVG.
Reproduced with librsvg 2.40.18 running on Debian 9.1.
Diff of original sample and mutated file:
--- /work/corpus/coords-constr-203-t.svg 2017-09-16 10:09:48.000000000 +0000 +++ /work/crashes/086f936b211159f51ef27fe4fe1dcc3f8e77fe11 2017-09-16 21:23:01.047702390 +0000 @@ -52,7 +52,7 @@ Cannot be transformed by the user agent transform.
-
<circle cx="50" cy="215" r="15" fill="blue"/>
-
<circle cx="50" cy="215" r="18446744073709551601" fill="blue"/> <text x="70" y="225" fill="blue" font-size="12">Cannot be transformed by the user agent transform.</text>
ASAN trace:
ASAN:DEADLYSIGNAL
==9629==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x7fe05ce92ad3 bp 0x62200001a6b8 sp 0x7ffc430ce910 T0) #0 0x7fe05ce92ad2 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x77ad2) #1 0x7fe05ce84c3d (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x69c3d) #2 (closed) 0x7fe05ce856b2 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6a6b2) #3 (closed) 0x7fe05ce865c2 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6b5c2) #4 (closed) 0x7fe05ce40baf (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x25baf) #5 (closed) 0x7fe05ce522c6 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x372c6) #6 (closed) 0x7fe05ce89816 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6e816) #7 (closed) 0x7fe05ce4928b (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x2e28b) #8 0x7fe05ce423a8 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x273a8) #9 (closed) 0x7fe05ce3b434 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x20434) #10 (closed) 0x7fe05e94fbe4 (/app/lib/librsvg-2.so.2+0x7ebe4) #11 (closed) 0x7fe05e9490cb (/app/lib/librsvg-2.so.2+0x780cb) #12 (closed) 0x7fe05e929f50 (/app/lib/librsvg-2.so.2+0x58f50) #13 (closed) 0x7fe05e92b375 (/app/lib/librsvg-2.so.2+0x5a375) #14 (closed) 0x7fe05e92b375 (/app/lib/librsvg-2.so.2+0x5a375) #15 (closed) 0x7fe05e92c5ec (/app/lib/librsvg-2.so.2+0x5b5ec) #16 (closed) 0x7fe05e92b157 (/app/lib/librsvg-2.so.2+0x5a157) #17 (closed) 0x7fe05e954736 (/app/lib/librsvg-2.so.2+0x83736) #18 (closed) 0x4edd94 (/app/bin/rsvg-convert+0x4edd94) #19 (closed) 0x7fe05bf582b0 (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #20 (closed) 0x41bf09 (/app/bin/rsvg-convert+0x41bf09)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x77ad2) ==9629==ABORTING
GDB backtrace:
#0 full_row (mask=<optimized out>, coverages=<optimized out>, active=<optimized out>) at ../../../../src/cairo-tor-scan-converter.c:1335
#1 glitter_scan_converter_render (renderer=0x7fffffffc550, antialias=1, winding_mask=<optimized out>, converter=0x1002acde8) at ../../../../src/cairo-tor-scan-converter.c:1767
#2 _cairo_tor_scan_converter_generate (converter=0x1002acdd0, renderer=0x7fffffffc550) at ../../../../src/cairo-tor-scan-converter.c:1857
#3 0x00007ffff6ffbc3e in composite_polygon (extents=extents@entry=0x7fffffffde30, polygon=polygon@entry=0x7fffffffda10, fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING,
antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT, compositor=<optimized out>, compositor=<optimized out>) at ../../../../src/cairo-spans-compositor.c:801
#4 0x00007ffff6ffc6b3 in clip_and_composite_polygon (compositor=compositor@entry=0x7ffff72a4040 <spans>, extents=extents@entry=0x7fffffffde30,
polygon=polygon@entry=0x7fffffffda10, fill_rule=CAIRO_FILL_RULE_WINDING, antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT) at ../../../../src/cairo-spans-compositor.c:967
#5 0x00007ffff6ffd5c3 in _cairo_spans_compositor_fill (_compositor=0x7ffff72a4040 <spans>, extents=0x7fffffffde30, path=<optimized out>, fill_rule=<optimized out>,
tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT) at ../../../../src/cairo-spans-compositor.c:1174
#6 0x00007ffff6fb7bb0 in _cairo_compositor_fill (compositor=0x7ffff72a4040 <spans>, surface=0x100227110, op=<optimized out>, source=<optimized out>, path=0x100236f68,
fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at ../../../../src/cairo-compositor.c:203
#7 0x00007ffff6fc92c7 in _cairo_image_surface_fill (abstract_surface=<optimized out>, op=<optimized out>, source=<optimized out>, path=<optimized out>,
fill_rule=<optimized out>, tolerance=<optimized out>, antialias=<optimized out>, clip=0x0) at ../../../../src/cairo-image-surface.c:985
#8 0x00007ffff7000817 in _cairo_surface_fill (surface=0x100227110, op=CAIRO_OPERATOR_OVER, source=0x7fffffffe200, path=0x100236f68, fill_rule=CAIRO_FILL_RULE_WINDING,
tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at ../../../../src/cairo-surface.c:2341
#9 0x00007ffff6fc028c in _cairo_gstate_fill (gstate=0x100237720, path=path@entry=0x100236f68) at ../../../../src/cairo-gstate.c:1317
#10 0x00007ffff6fb93a9 in _cairo_default_context_fill (abstract_cr=0x100236c00) at ../../../../src/cairo-default-context.c:1055
#11 0x00007ffff6fb2435 in cairo_fill (cr=0x100236c00) at ../../../../src/cairo.c:2205
#12 0x00007ffff7bcc575 in rsvg_cairo_render_path (ctx=0x100258b70, path=<optimized out>) at rsvg-cairo-draw.c:537
#13 0x00007ffff7bc8a12 in rsvg_render_path (ctx=ctx@entry=0x100258b70, path=path@entry=0x100263450) at rsvg-base.c:2113
#14 0x00007ffff7bbed99 in _rsvg_node_circle_draw (self=0x10024fe00, ctx=0x100258b70, dominate=0) at rsvg-shapes.c:594
#15 0x00007ffff7bbfb70 in rsvg_node_draw (dominate=0, ctx=0x100258b70, self=<optimized out>) at rsvg-structure.c:54
#16 _rsvg_node_draw_children (self=0x10024ecc0, ctx=0x100258b70, dominate=0) at rsvg-structure.c:70
#17 0x00007ffff7bbfb70 in rsvg_node_draw (dominate=0, ctx=0x100258b70, self=<optimized out>) at rsvg-structure.c:54
#18 _rsvg_node_draw_children (self=0x100240010, ctx=0x100258b70, dominate=0) at rsvg-structure.c:70
#19 0x00007ffff7bc0032 in rsvg_node_draw (dominate=0, ctx=0x100258b70, self=<optimized out>) at rsvg-structure.c:54
#20 rsvg_node_svg_draw (self=0x10023d960, ctx=0x100258b70, dominate=<optimized out>) at rsvg-structure.c:309
#21 0x00007ffff7bc0948 in rsvg_node_draw (self=<optimized out>, ctx=ctx@entry=0x100258b70, dominate=dominate@entry=0) at rsvg-structure.c:54
#22 0x00007ffff7bcd0a3 in rsvg_handle_render_cairo_sub (handle=0x10022c0d0, cr=0x100236c00, id=<optimized out>) at rsvg-cairo-render.c:224
#23 0x00000001000022da in main (argc=<optimized out>, argv=<optimized out>) at rsvg-convert.c:429
This issue was found by Ossi Herrala and Marko Laakso by using Radamsa fuzzer on the 521155S Computer Security (practical security) course lab taught by Christian Wieser of OUSPG.
Attachment 359938, "Mutated SVG file":
086f936b211159f51ef27fe4fe1dcc3f8e77fe11