Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user can send a crafted image to trigger a overflow leading to remote code execution.
Patched here: Tencent/libpag#2230
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6301==ERROR: AddressSanitizer: SEGV on unknown address 0x000126d13bed (pc 0x000107179a80 bp 0x00016d3d6b30 sp 0x00016d3d6b20 T0)
==6301==The signal is caused by a READ memory access.
#0 0x107179a80 in tgfx::DataView::readData(unsigned long, unsigned char*, unsigned long) const+0x7c (libpag:arm64+0x139a80)
#1 0x107179b68 in tgfx::DataView::getUint16(unsigned long) const+0x18 (libpag:arm64+0x139b68)
#2 0x1070a0dfc in pag::DecodeStream::readUint16()+0x2c (libpag:arm64+0x60dfc)
#3 0x107066a18 in pag::ReadTagHeader(pag::DecodeStream*)+0x10 (libpag:arm64+0x26a18)
#4 0x107091860 in void pag::ReadTags<pag::VectorComposition*>(pag::DecodeStream*, pag::VectorComposition*, void (*)(pag::DecodeStream*, pag::TagCode, pag::VectorComposition*))+0x84 (libpag:arm64+0x51860)
#5 0x1070917a8 in pag::ReadVectorComposition(pag::DecodeStream*)+0x7c (libpag:arm64+0x517a8)
#6 0x107076c20 in pag::ReadTag_VectorCompositionBlock(pag::DecodeStream*, pag::CodecContext*)+0x14 (libpag:arm64+0x36c20)
#7 0x107076f24 in std::__1::function<void (pag::DecodeStream*, pag::CodecContext*)>::operator()(pag::DecodeStream*, pag::CodecContext*) const+0x28 (libpag:arm64+0x36f24)
#8 0x107076ee8 in pag::ReadTagsOfFile(pag::DecodeStream*, pag::TagCode, pag::CodecContext*)+0x3c (libpag:arm64+0x36ee8)
#9 0x107053f10 in pag::Codec::Decode(void const*, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&)+0x11c (libpag:arm64+0x13f10)
#10 0x1070442ac in pag::File::Load(void const*, unsigned long, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&)+0x16c (libpag:arm64+0x42ac)
#11 0x1070440f0 in pag::File::Load(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&)+0x34 (libpag:arm64+0x40f0)
#12 0x1070f7de8 in pag::PAGFile::Load(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&)+0x18 (libpag:arm64+0xb7de8)
#13 0x1070a8164 in +[PAGFileImpl Load:]+0xfc (libpag:arm64+0x68164)
#14 0x102a2b9fc in fuzz load.m:40
#15 0x102a2bae8 in main load.m:57
#16 0x182d190dc (<unknown module>)
==6301==Register values:
x[0] = 0x000000016d3d6f00 x[1] = 0x000000001f00ff42 x[2] = 0x000000016d3d6b48 x[3] = 0x0000000000000002
x[4] = 0x0000000106500fc0 x[5] = 0x0000000000000001 x[6] = 0x000000016cbdc000 x[7] = 0x0000000000000001
x[8] = 0x0000000000000002 x[9] = 0x0000000107d03cab x[10] = 0x000000000000003f x[11] = 0x000000000000000e
x[12] = 0x0000000000000061 x[13] = 0x0000000000184000 x[14] = 0x0000000000007e01 x[15] = 0x0000000000000006
x[16] = 0x00000001032e4a98 x[17] = 0x00000001033240b8 x[18] = 0x0000000000000000 x[19] = 0x0000000000000002
x[20] = 0x00000000e0ff00bd x[21] = 0x000000016d3d6ef8 x[22] = 0x1f00ff03000003c0 x[23] = 0x000000016d3d6d70
x[24] = 0x000000016d3d7240 x[25] = 0x0000000182d9862b x[26] = 0x0000000000000000 x[27] = 0x0000000000000000
x[28] = 0x0000000000000000 fp = 0x000000016d3d6b30 lr = 0x0000000107179b6c sp = 0x000000016d3d6b20
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libpag:arm64+0x139a80) in tgfx::DataView::readData(unsigned long, unsigned char*, unsigned long) const+0x7c
==6301==ABORTING
zsh: abort ./load nighty/crashes/access_violation_0xxxxxxxa80_0xxxxxxxbed_1