[BZ#787799] Fuzz: Crash with large numerical value in stroke-width attribute
Submitted by Ossi Herrala
Link to original bug (#787799)
Description
Librsvg crashes with a mutated SVG.
Reproduced with librsvg 2.40.18 running on Debian 9.1.
Diff of original sample and mutated file:
--- corpus/script-handler-201-t.svg 2017-09-16 10:09:48.000000000 +0000 +++ crashes/f885d671b8a6540184d8f675432697aed53c08bb 2017-09-16 12:55:27.019045689 +0000 @@ -127,8 +127,8 @@
- + DRAFT - - \ No newline at end of file + + \ No newline at end of fileASAN trace:
ASAN:DEADLYSIGNAL
==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x7fcde3772000 (pc 0x7fcddc83a83f bp 0x0000fffffffe sp 0x7ffc6b1cc970 T0) #0 0x7fcddc83a83e (/usr/lib/x86_64-linux-gnu/libpixman-1.so.0+0x6c83e) #1 0x7fcddc81f9fa (/usr/lib/x86_64-linux-gnu/libpixman-1.so.0+0x519fa) #2 (closed) 0x7fcddc7d9838 (/usr/lib/x86_64-linux-gnu/libpixman-1.so.0+0xb838) #3 (closed) 0x7fcde18841a5 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x311a5) #4 (closed) 0x7fcde18bda6c (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6aa6c) #5 (closed) 0x7fcde18be09d (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6b09d) #6 (closed) 0x7fcde18be289 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6b289) #7 (closed) 0x7fcde1878ace (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x25ace) #8 0x7fcde188a291 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x37291) #9 (closed) 0x7fcde18c1715 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6e715) #10 (closed) 0x7fcde1880e6e (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x2de6e) #11 (closed) 0x7fcde187a438 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x27438) #12 (closed) 0x7fcde18733d4 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x203d4) #13 (closed) 0x7fcde3387cd9 (/app/lib/librsvg-2.so.2+0x7ecd9) #14 (closed) 0x7fcde33810cb (/app/lib/librsvg-2.so.2+0x780cb) #15 (closed) 0x7fcde33615d0 (/app/lib/librsvg-2.so.2+0x585d0) #16 (closed) 0x7fcde3363375 (/app/lib/librsvg-2.so.2+0x5a375) #17 (closed) 0x7fcde33645ec (/app/lib/librsvg-2.so.2+0x5b5ec) #18 (closed) 0x7fcde3363157 (/app/lib/librsvg-2.so.2+0x5a157) #19 (closed) 0x7fcde338c736 (/app/lib/librsvg-2.so.2+0x83736) #20 (closed) 0x4edd94 (/app/bin/rsvg-convert+0x4edd94) #21 (closed) 0x7fcde09902b0 (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #22 (closed) 0x41bf09 (/app/bin/rsvg-convert+0x41bf09)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libpixman-1.so.0+0x6c83e) ==14359==ABORTING
GDB backtrace:
#0 sse2_fill (imp=<optimized out>, bits=<optimized out>, stride=<optimized out>, bpp=<optimized out>, x=<optimized out>, y=<optimized out>, width=476, height=-361,
filler=4278190080) at ../../pixman/pixman-sse2.c:3408
#1 0x00007ffff48e39fb in _pixman_implementation_fill (imp=0x100223280, bits=0x7ffff7f0a010, stride=480, bpp=32, x=2, y=2, width=476, height=-2, filler=<optimized out>)
at ../../pixman/pixman-implementation.c:277
#2 0x00007ffff489d839 in pixman_fill (bits=<optimized out>, stride=<optimized out>, bpp=<optimized out>, x=<optimized out>, y=<optimized out>, width=<optimized out>,
height=-2, filler=4278190080) at ../../pixman/pixman.c:759
#3 0x00007ffff6fc31a6 in fill_boxes (_dst=0x100227110, op=<optimized out>, color=0x7fffffffde68, boxes=<optimized out>) at ../../../../src/cairo-image-compositor.c:350
#4 0x00007ffff6ffca6d in composite_aligned_boxes (boxes=0x7fffffffd920, extents=0x7fffffffdd70, compositor=0x7ffff72a4040 <spans>)
at ../../../../src/cairo-spans-compositor.c:628
#5 clip_and_composite_boxes (compositor=compositor@entry=0x7ffff72a4040 <spans>, extents=extents@entry=0x7fffffffdd70, boxes=boxes@entry=0x7fffffffd920)
at ../../../../src/cairo-spans-compositor.c:882
#6 0x00007ffff6ffd09e in clip_and_composite_boxes (compositor=0x7ffff72a4040 <spans>, extents=0x7fffffffdd70, boxes=0x7fffffffd920)
at ../../../../src/cairo-spans-compositor.c:901
#7 0x00007ffff6ffd28a in _cairo_spans_compositor_stroke (_compositor=0x7ffff72a4040 <spans>, extents=0x7fffffffdd70, path=0x100236f68, style=0x7fffffffe170,
ctm=0x7fffffffe1a0, ctm_inverse=0x7fffffffe1d0, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT) at ../../../../src/cairo-spans-compositor.c:1038
#8 0x00007ffff6fb7acf in _cairo_compositor_stroke (compositor=0x7ffff72a4040 <spans>, surface=0x100227110, op=CAIRO_OPERATOR_OVER, source=0x7fffffffe210, path=0x100236f68,
style=0x7fffffffe170, ctm=0x7fffffffe1a0, ctm_inverse=0x7fffffffe1d0, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0)
at ../../../../src/cairo-compositor.c:157
#9 0x00007ffff6fc9292 in _cairo_image_surface_stroke (abstract_surface=<optimized out>, op=<optimized out>, source=<optimized out>, path=<optimized out>,
style=<optimized out>, ctm=<optimized out>, ctm_inverse=0x7fffffffe1d0, tolerance=<optimized out>, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0)
at ../../../../src/cairo-image-surface.c:964
#10 0x00007ffff7000716 in _cairo_surface_stroke (surface=0x100227110, op=CAIRO_OPERATOR_OVER, source=0x7fffffffe210, path=0x100236f68, stroke_style=0x7fffffffe170,
ctm=0x7fffffffe1a0, ctm_inverse=0x7fffffffe1d0, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at ../../../../src/cairo-surface.c:2296
#11 0x00007ffff6fbfe6f in _cairo_gstate_stroke (gstate=0x100237560, path=path@entry=0x100236f68) at ../../../../src/cairo-gstate.c:1194
#12 0x00007ffff6fb9439 in _cairo_default_context_stroke (abstract_cr=0x100236c00) at ../../../../src/cairo-default-context.c:1010
#13 0x00007ffff6fb23d5 in INT_cairo_stroke (cr=0x100236c00) at ../../../../src/cairo.c:2150
#14 0x00007ffff7bcc534 in rsvg_cairo_render_path (ctx=0x100226a80, path=<optimized out>) at rsvg-cairo-draw.c:549
#15 0x00007ffff7bc8a12 in rsvg_render_path (ctx=ctx@entry=0x100226a80, path=path@entry=0x10029f3e0) at rsvg-base.c:2113
#16 0x00007ffff7bbe8cb in _rsvg_node_rect_draw (self=0x1002511c0, ctx=0x100226a80, dominate=0) at rsvg-shapes.c:500
#17 0x00007ffff7bbfb70 in rsvg_node_draw (dominate=0, ctx=0x100226a80, self=<optimized out>) at rsvg-structure.c:54
#18 _rsvg_node_draw_children (self=0x100263720, ctx=0x100226a80, dominate=0) at rsvg-structure.c:70
#19 0x00007ffff7bc0032 in rsvg_node_draw (dominate=0, ctx=0x100226a80, self=<optimized out>) at rsvg-structure.c:54
#20 rsvg_node_svg_draw (self=0x10023d960, ctx=0x100226a80, dominate=<optimized out>) at rsvg-structure.c:309
#21 0x00007ffff7bc0948 in rsvg_node_draw (self=<optimized out>, ctx=ctx@entry=0x100226a80, dominate=dominate@entry=0) at rsvg-structure.c:54
#22 0x00007ffff7bcd0a3 in rsvg_handle_render_cairo_sub (handle=0x10022c0d0, cr=0x100236c00, id=<optimized out>) at rsvg-cairo-render.c:224
#23 0x00000001000022da in main (argc=<optimized out>, argv=<optimized out>) at rsvg-convert.c:429
This issue was found by Ossi Herrala and Marko Laakso by using Radamsa fuzzer on the 521155S Computer Security (practical security) course lab taught by Christian Wieser of OUSPG.