Segmentation Fault in example/svg2png.cpp when rendering SVG with Address Sanitizer

[shuangxiangkan]

Description:

Encountered a segmentation fault when running svg2png.c with AddressSanitizer enabled. The issue seems to originate from gray_find_cell in the plutovg-ft-raster.c file. Below are the details of the crash and steps to reproduce it.

Environment

• OS: Ubuntu 22.04
• Compiler: Clang 16.0.6
• AFL++ Version: afl-fuzz++4.22a
• lunasvg Version: v3.0.1

Reproduction

git clone https://github.com/sammycage/lunasvg.git
cd lunasvg
cmake -B build \
  -DCMAKE_C_FLAGS="-fsanitize=address" \
  -DCMAKE_CXX_FLAGS="-fsanitize=address" \
  .
cmake --build build


./build/examples/svg2png ./Path-to-Poc/poc

ASAN Log

=================================================================
==622204==ERROR: AddressSanitizer: SEGV on unknown address 0x4f02fca0038804 (pc 0x55dfda15ac06 bp 0xffffffffffff0000 sp 0x7fffebf25820 T0)
==622204==The signal is caused by a READ memory access.
    #0 0x55dfda15ac06 in gray_find_cell /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:282:14
    #1 0x55dfda15ac06 in gray_record_cell /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:313:21
    #2 0x55dfda15ac06 in gray_set_cell /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:356:9
    #3 0x55dfda159319 in gray_render_line /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:646:9
    #4 0x55dfda157d0d in PVG_FT_Outline_Decompose /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:1364:13
    #5 0x55dfda157d0d in gray_convert_glyph_inner /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:1474:15
    #6 0x55dfda155039 in gray_convert_glyph /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:1581:17
    #7 0x55dfda155039 in gray_raster_render /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:1682:12
    #8 0x55dfda153448 in PVG_FT_Raster_Render /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:1694:19
    #9 0x55dfda0d02a0 in plutovg_rasterize /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-rasterize.c:375:5
    #10 0x55dfda092046 in plutovg_canvas_stroke_preserve /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-canvas.c:554:5
    #11 0x55dfda092046 in plutovg_canvas_stroke /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-canvas.c:521:5
    #12 0x55dfda092046 in plutovg_canvas_stroke_path /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-canvas.c:600:5
    #13 0x55dfda0340e6 in lunasvg::SVGGeometryElement::render(lunasvg::SVGRenderState&) const /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg-latest/source/svggeometryelement.cpp:153:23
    #14 0x55dfda01e2a2 in lunasvg::SVGElement::renderChildren(lunasvg::SVGRenderState&) const /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg-latest/source/svgelement.cpp:453:22
    #15 0x55dfda01e2a2 in lunasvg::SVGSVGElement::render(lunasvg::SVGRenderState&) const /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg-latest/source/svgelement.cpp:612:5
    #16 0x55dfda001999 in lunasvg::Document::render(lunasvg::Bitmap&, lunasvg::Matrix const&) const /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg-latest/source/lunasvg.cpp:475:20
    #17 0x55dfda002414 in lunasvg::Document::renderToBitmap(int, int, unsigned int) const /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg-latest/source/lunasvg.cpp:497:5
    #18 0x55dfd9ff5cdc in main /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg-latest/examples/svg2png.cpp:55:29
    #19 0x7fe901846249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0x7fe901846304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #21 0x55dfd9f32940 in _start (/srv/scratch/PAG/ksx/Fuzz/Library/lunasvg-latest/build/examples/svg2png+0x35940) (BuildId: 968925cc856459c7d1beac43fd13228a8e343066)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /srv/scratch/PAG/ksx/Fuzz/Library/lunasvg/build/_deps/plutovg-src/source/plutovg-ft-raster.c:282:14 in gray_find_cell
==622204==ABORTING

PoC

poc_SEGV_1.zip