Skip to content

[BZ#744391] Fuzz: out-of-bounds write in sse2_fill called from cairo-image-compositor

Submitted by Atte Kettunen

Assigned to Federico Mena Quintero

Link to original bug (#744391)

Description

Tested on:

OS: Ubuntu 14.04

librsvg from github @ commit 40033648

reproducing file:

stderr and ASAN-trace:

================================================================= ==3718==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000f790 at pc 0x7f8905308972 bp 0x7fff12984530 sp 0x7fff12984528 WRITE of size 4 at 0x61c00000f790 thread T0 #0 0x7f8905308971 in sse2_fill ??:0:0 #1 0x7f89047a4807 in _pixman_implementation_fill ??:0:0 #2 (closed) 0x7f890313a24e in pixman_fill ??:0:0 #3 (closed) 0x7f890a99bfeb in fill_boxes ??:0:0 #4 (closed) 0x7f890ad24c0e in composite_aligned_boxes ??:0:0 #5 (closed) 0x7f890ad143c3 in clip_and_composite_boxes ??:0:0 #6 (closed) 0x7f890ad1177f in _cairo_spans_compositor_stroke ??:0:0 #7 (closed) 0x7f890a8f0716 in _cairo_compositor_stroke ??:0:0 #8 0x7f890aa14c48 in _cairo_image_surface_stroke ??:0:0 #9 (closed) 0x7f890ad6b567 in _cairo_surface_stroke ??:0:0 #10 (closed) 0x7f890a9672bf in _cairo_gstate_stroke ??:0:0 #11 (closed) 0x7f890a91e34f in _cairo_default_context_stroke ??:0:0 #12 (closed) 0x7f890a895e7a in INT_cairo_stroke ??:0:0 #13 (closed) 0x7f890c5d92b3 in rsvg_cairo_render_path ??:0:0 #14 (closed) 0x7f890c5bffe4 in rsvg_render_path ??:0:0 #15 (closed) 0x7f890c553362 in _rsvg_node_rect_draw ??:0:0 #16 (closed) 0x7f890c55f5a6 in rsvg_node_draw ??:0:0 #17 (closed) 0x7f890c560147 in _rsvg_node_draw_children ??:0:0 #18 (closed) 0x7f890c55f5a6 in rsvg_node_draw ??:0:0 #19 (closed) 0x7f890c564c1c in rsvg_node_svg_draw ??:0:0 #20 (closed) 0x7f890c55f5a6 in rsvg_node_draw ??:0:0 #21 (closed) 0x7f890c5f19fb in rsvg_handle_render_cairo_sub ??:0:0 #22 (closed) 0x7f890c5f1d4e in rsvg_handle_render_cairo ??:0:0 #23 (closed) 0x4d525c in main ??:0:0 #24 (closed) 0x7f890930dec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0 #25 0x418bd6 in _start ??:0:0

0x61c00000f790 is located 8 bytes to the right of 1800-byte region [0x61c00000f080,0x61c00000f788) allocated by thread T0 here: #0 0x4ad153 in calloc asan_rtl:0 #1 0x7f890409f487 in create_bits ??:0:0 #2 (closed) 0x7f890409dfd5 in _pixman_bits_image_init ??:0:0 #3 (closed) 0x7f89040a05fa in create_bits_image_internal ??:0:0 #4 (closed) 0x7f890409faaf in pixman_image_create_bits ??:0:0 #5 (closed) 0x7f890aa0a8d4 in _cairo_image_surface_create_with_pixman_format ??:0:0 #6 (closed) 0x7f890aa0b7be in INT_cairo_image_surface_create ??:0:0 #7 (closed) 0x4d47c6 in main ??:0:0 #8 0x7f890930dec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

Shadow bytes around the buggy address: . . .