Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Undefined Behavior in nsvg__pathArcTo() #183

Open
invd opened this issue Sep 24, 2020 · 1 comment
Open

Undefined Behavior in nsvg__pathArcTo() #183

invd opened this issue Sep 24, 2020 · 1 comment

Comments

@invd
Copy link

invd commented Sep 24, 2020

During fuzzing, UndefinedBehaviorSanitizer reports an issue at

ndivs = (int)(fabsf(da) / (NSVG_PI*0.5f) + 1.0f);

nanosvg.h:2175:10: runtime error: nan is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior nanosvg.h:2175:10 in 

I do not expect a direct security impact.

Example input: ub_1.svg.zip.

State before the UB:

Thread 1 "nanosvg_fuzzer" hit Breakpoint 1, nsvg__pathArcTo (p=0xe83620, cpx=0x7fffffffbf54, cpy=0x7fffffffbf50, args=0x7fffffffbf60, 
    rel=0) at ./nanosvg.h:2175
2175		ndivs = (int)(fabsf(da) / (NSVG_PI*0.5f) + 1.0f);
(gdb) info local
rx = 8
ry = inf
rotx = 0
x1 = 0
y1 = 0
x2 = 0
y2 = 0.200000003
cx = -nan(0x400000)
cy = -nan(0x400000)
dx = 0
dy = -0.200000003
d = 0
x1p = 0
y1p = -0.100000001
cxp = 0
cyp = -nan(0x400000)
s = -0
sa = -nan(0x400000)
sb = -nan(0x400000)
ux = 0
uy = -nan(0x400000)
vx = -0
vy = -nan(0x400000)
a1 = -nan(0x400000)
da = -nan(0x400000)
x = 4.59163468e-41
y = -nan(0x7fbed0)
tanx = 6.44597294e-44
tany = 0
a = 4.59163468e-41
px = 0
py = 0
ptanx = 0
ptany = 0
t = {1, 0, -0, 1, -nan(0x400000), -nan(0x400000)}
sinrx = 0
cosrx = 1
fa = 1
fs = 1
i = 46
ndivs = 33542579
hda = 4.59163468e-41
kappa = -nan(0x7fbed0)

Note: my local source lines are not identical with nanosvg.h upstream.

@invd
Copy link
Author

invd commented Mar 3, 2023

@memononen : this undefined behavior issue is still present in the newest 9da543e commit.

ndivs = (int)(fabsf(da) / (NSVG_PI*0.5f) + 1.0f);

While retesting this issue, my fuzzer has found a separate Undefined Behavior issue in nsvg__parseColorRGB():

nanosvg.h:1273:14: runtime error: 2.83333e+11 is outside the range of representable values of type 'unsigned int'

rgbi[0] = roundf(rgbf[0] * 2.55f);

Similar edge cases are possible for rgbi[2] = roundf(rgbf[2] * 2.55f); at nanosvg.h:1275 as well.

Let me know if you have an interest in fixing those and need more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant