You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
If szEnd can't hit the judge follow in a right range, the coptsize of strncpy may be too large, which will directly cause stack overflow. If the lib is used by a browser, RCE is possible!
const char* svgGetNextPathField( const char *szData, char *szField )
{
const char *szStart = NULL, *szEnd = NULL;
if( szData==NULL || szField==NULL )
return NULL;
szField[ 0 ] = '\0';
// FIXME: Make sure that this "M100,100L200,500" will be parsed...
// Search for the start of the field
szStart = szData;
while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
szStart ++;
}
if( *szStart=='\0' )
return NULL;
// Search for the end
szEnd = szStart + 1;
while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
szEnd ++;
}
strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
szField[ szEnd - szStart ] = 0;
return szStart;
}
POC:
https://pan.baidu.com/s/1jVZghI-9fabwDuOAs6xAcg
ASAN:
https://pan.baidu.com/s/1WrFXobw05-t1EpJpceZ-gA
Description:
If szEnd can't hit the judge follow in a right range, the coptsize of strncpy may be too large, which will directly cause stack overflow. If the lib is used by a browser, RCE is possible!
pwndbg> p ptPathCmd
$31 = (svgPathCommand *) 0x313131313131312d
pwndbg> p ptLastPathCmd
$33 = (svgPathCommand *) 0x333233322d333132
saved $rbp and ret addr has been overwriteed, when bypassing the poc crash erro, $ip will be controlled.
debug pic: https://pan.baidu.com/s/1AKFgwFBdQRZZjEdsXb3fWg
The text was updated successfully, but these errors were encountered: