CVE-2021-44960: New vulnerability · Issue #101 · svgpp/svgpp

id_000015,sig_11,src_001176,time_147681735,op_arith8,pos_10,val_+3.zip
在renderDocument函数中的XMLDocument::getRoot函数对XMLDocument对象处理不当，在第二个if处提前返回一个空指针，造成renderDocument函数后面有空指针引用。
The XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly, returning a null pointer in advance at the second if, resulting in a null pointer reference behind the renderDocument function.

AddressSanitizer:DEADLYSIGNAL

==1486083==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006d742e bp 0x7fffc6d83dd0 sp 0x7fffc6d83880 T0)
==1486083==The signal is caused by a READ memory access.
==1486083==Hint: address points to the zero page.
#0 0x6d742e in rapidxml_ns::xml_base::local_name() const /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/third_party/rapidxml_ns/rapidxml_ns.hpp:882:20
#1 0x6d742e in svgpp::policy::xml::element_iterator<rapidxml_ns::xml_node const*>::get_local_name(rapidxml_ns::xml_node const*) /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/include/svgpp/policy/xml/rapidxml_ns.hpp:127:43
#2 0x6d742e in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp:🏭:length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp:🏭:color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method >, svgpp::error_policy<svgpp::policy::error::default_policy >, svgpp::markers_policysvgpp::policy::markers::calculate_always, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policysvgpp::policy::viewport::as_transform >::load_expected_element<rapidxml_ns::xml_node const*, Canvas, svgpp::tag::element::svg>(rapidxml_ns::xml_node const* const&, Canvas&, svgpp::tag::element::svg) /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/include/svgpp/document_traversal.hpp:108:61
#3 0x6d742e in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp:🏭:length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp:🏭:color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method >, svgpp::error_policy<svgpp::policy::error::default_policy >, svgpp::markers_policysvgpp::policy::markers::calculate_always, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policysvgpp::policy::viewport::as_transform >::load_document<rapidxml_ns::xml_node const*, Canvas>(rapidxml_ns::xml_node const* const&, Canvas&) /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/include/svgpp/document_traversal.hpp:97:12
#4 0x6d742e in renderDocument(XMLDocument&, ImageBuffer&) /home/zero/Desktop/svgpp-master/src/demo/render/svgpp_render.cpp:1659:3
#5 0x6d8b32 in main /home/zero/Desktop/svgpp-master/src/demo/render/svgpp_render.cpp:1683:7
#6 0x7fb2c6bd3d09 in __libc_start_main csu/…/csu/libc-start.c:308:16
#7 0x606bc9 in _start (/home/zero/Desktop/svgpp-master/src/source/bin/svgpp_agg_render+0x606bc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/third_party/rapidxml_ns/rapidxml_ns.hpp:882:20 in rapidxml_ns::xml_base::local_name() const
==1486083==ABORTING

credit:Cvjark,上帝的玩具