[Text Mode] NULL pointer dereference in SVGNative::SVGDocument::Render

Question

[Text Mode] NULL pointer dereference in SVGNative::SVGDocument::Render

xinali opened this issue 5 years ago · 2 comments

Compile Options

ubuntu 16.04 x64
clang++-6.0 
ASAN

Debug

pwndbg> r poc_file_4                                                                                                         
Starting program: /home/tmp/svg-native-viewer/svgnative/Build/linux/example/testText/test poc_file_4

Program received signal SIGSEGV, Segmentation fault.
SVGNative::SVGDocument::Render (this=0x0) at /home/tmp/svg-native-viewer/svgnative/src/SVGDocument.cpp:59
59          mDocument->Render(colorMap, mDocument->mViewBox[2], mDocument->mViewBox[3]);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────
 RAX  0x7fffffffc0f8 ◂— 0x0
 RBX  0x6d4c70 —▸ 0x4aee48 —▸ 0x407f10 ◂— lea    rsp, [rsp - 0x98]
 RCX  0x951bb0bf
 RDX  0x951b8a7c
 RDI  0x0
 RSI  0x5ad33ebe
 R8   0x6d5780 —▸ 0x6d400f ◂— 0x726f66736e617274 ('transfor')
 R9   0x1
 R10  0x126f
 R11  0x7ffff7ae1490 (__cxa_free_exception) ◂— mov    rax, qword ptr [rip + 0x2f1899]
 R12  0x7fffffffcd80 ◂— 0x9509119d
 R13  0x7fffffffc160 ◂— 0xe40
 R14  0x7fffffffc3c8 —▸ 0x6d4c70 —▸ 0x4aee48 —▸ 0x407f10 ◂— lea    rsp, [rsp - 0x98]
 R15  0x7fffffffc150 —▸ 0x6d3d00 ◂— '<svg xmlns'
 RBP  0x7fffffffc400 ◂— 'test-green'
 RSP  0x7fffffffc0f0 —▸ 0x6d4c80 —▸ 0x4b00c8 —▸ 0x41bf30 (SVGNative::StringSVGRenderer::~StringSVGRenderer()) ◂— lea    rsp, [rsp - 0x98]
 RIP  0x4092f2 (SVGNative::SVGDocument::Render()+98) ◂— mov    rdi, qword ptr [rdi]
─────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────
 ► 0x4092f2 <SVGNative::SVGDocument::Render()+98>     mov    rdi, qword ptr [rdi]
   0x4092f5 <SVGNative::SVGDocument::Render()+101>    movss  xmm0, dword ptr [rdi + 0x10090]
   0x4092fd <SVGNative::SVGDocument::Render()+109>    movss  xmm1, dword ptr [rdi + 0x10094]
   0x409305 <SVGNative::SVGDocument::Render()+117>    mov    rsi, rsp
   0x409308 <SVGNative::SVGDocument::Render()+120>    call   0x45b5f0
 
   0x40930d <SVGNative::SVGDocument::Render()+125>    mov    rsi, qword ptr [rsp + 0x10]
   0x409312 <SVGNative::SVGDocument::Render()+130>    mov    rdi, rsp
   0x409315 <SVGNative::SVGDocument::Render()+133>    call   0x4069b0
 
   0x40931a <SVGNative::SVGDocument::Render()+138>    add    rsp, 0x30
   0x40931e <SVGNative::SVGDocument::Render()+142>    pop    rbx
   0x40931f <SVGNative::SVGDocument::Render()+143>    ret    
──────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────
In file: /home/tmp/svg-native-viewer/svgnative/src/SVGDocument.cpp
   54 SVGDocument::~SVGDocument() {}
   55 
   56 void SVGDocument::Render()
   57 {
   58     ColorMap colorMap;
 ► 59     mDocument->Render(colorMap, mDocument->mViewBox[2], mDocument->mViewBox[3]);
   60 }
   61 
   62 void SVGDocument::Render(float width, float height)
   63 {
   64     ColorMap colorMap;
──────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffc0f0 —▸ 0x6d4c80 —▸ 0x4b00c8 —▸ 0x41bf30 (SVGNative::StringSVGRenderer::~StringSVGRenderer()) ◂— lea    rsp, [rsp - 0x98]
01:0008│ rax  0x7fffffffc0f8 ◂— 0x0
... ↓
03:0018│      0x7fffffffc108 —▸ 0x7fffffffc0f8 ◂— 0x0
... ↓
05:0028│      0x7fffffffc118 ◂— 0x0
06:0030│      0x7fffffffc120 —▸ 0x6d4c70 —▸ 0x4aee48 —▸ 0x407f10 ◂— lea    rsp, [rsp - 0x98]
07:0038│      0x7fffffffc128 —▸ 0x403bad (main+5213) ◂— nop    dword ptr [rax]
────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────
 ► f 0           4092f2 SVGNative::SVGDocument::Render()+98
   f 1           403bad main+5213
   f 2     7ffff718c830 __libc_start_main+240
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x0)
pwndbg> p mDocument 
Cannot access memory at address 0x0

Answer 1 · 2019-12-13T13:38:52.000Z

4b39ab2 is my draft patch to fix this issue.

But, at the same time, I think my draft patch is ugly (it's a stoneage workaround for C89). If we can fix this issue by avoiding the construction of such broken SVGDocument object, it would be more smart.

@xinali , please could you send me POC file?

Answer 2 · 2019-12-20T13:26:24.000Z

I made PR#73 for this issue.