Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44960: New vulnerability · Issue #101 · svgpp/svgpp

In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly, returning a null pointer in advance at the second if, resulting in a null pointer reference behind the renderDocument function.

CVE
#vulnerability#c++#perl

id_000015,sig_11,src_001176,time_147681735,op_arith8,pos_10,val_+3.zip
在renderDocument函数中的XMLDocument::getRoot函数对XMLDocument对象处理不当,在第二个if处提前返回一个空指针,造成renderDocument函数后面有空指针引用。
The XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly, returning a null pointer in advance at the second if, resulting in a null pointer reference behind the renderDocument function.

AddressSanitizer:DEADLYSIGNAL

==1486083==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006d742e bp 0x7fffc6d83dd0 sp 0x7fffc6d83880 T0)
==1486083==The signal is caused by a READ memory access.
==1486083==Hint: address points to the zero page.
#0 0x6d742e in rapidxml_ns::xml_base::local_name() const /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/third_party/rapidxml_ns/rapidxml_ns.hpp:882:20
#1 0x6d742e in svgpp::policy::xml::element_iterator<rapidxml_ns::xml_node const*>::get_local_name(rapidxml_ns::xml_node const*) /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/include/svgpp/policy/xml/rapidxml_ns.hpp:127:43
#2 0x6d742e in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp:🏭:length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp:🏭:color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method >, svgpp::error_policy<svgpp::policy::error::default_policy >, svgpp::markers_policysvgpp::policy::markers::calculate_always, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policysvgpp::policy::viewport::as_transform >::load_expected_element<rapidxml_ns::xml_node const*, Canvas, svgpp::tag::element::svg>(rapidxml_ns::xml_node const* const&, Canvas&, svgpp::tag::element::svg) /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/include/svgpp/document_traversal.hpp:108:61
#3 0x6d742e in bool svgpp::document_traversal<svgpp::context_factories<child_context_factories>, svgpp::length_policy<svgpp::policy::length::forward_to_method<Canvas, svgpp:🏭:length::unitless<double, double, svgpp::tag::length_units::mm> const> >, svgpp::color_factory<svgpp:🏭:color::percentage_adapter<color_factory_base_t> >, svgpp::processed_elements<processed_elements>, svgpp::processed_attributes<processed_attributes>, svgpp::path_policy<path_policy>, svgpp::document_traversal_control_policy, svgpp::transform_events_policy<svgpp::policy::transform_events::forward_to_method >, svgpp::path_events_policy<svgpp::policy::path_events::forward_to_method >, svgpp::error_policy<svgpp::policy::error::default_policy >, svgpp::markers_policysvgpp::policy::markers::calculate_always, svgpp::attribute_traversal_policy<attribute_traversal>, svgpp::viewport_policysvgpp::policy::viewport::as_transform >::load_document<rapidxml_ns::xml_node const*, Canvas>(rapidxml_ns::xml_node const* const&, Canvas&) /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/include/svgpp/document_traversal.hpp:97:12
#4 0x6d742e in renderDocument(XMLDocument&, ImageBuffer&) /home/zero/Desktop/svgpp-master/src/demo/render/svgpp_render.cpp:1659:3
#5 0x6d8b32 in main /home/zero/Desktop/svgpp-master/src/demo/render/svgpp_render.cpp:1683:7
#6 0x7fb2c6bd3d09 in __libc_start_main csu/…/csu/libc-start.c:308:16
#7 0x606bc9 in _start (/home/zero/Desktop/svgpp-master/src/source/bin/svgpp_agg_render+0x606bc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zero/Desktop/svgpp-master/src/demo/render/…/…/…/third_party/rapidxml_ns/rapidxml_ns.hpp:882:20 in rapidxml_ns::xml_base::local_name() const
==1486083==ABORTING

credit:Cvjark,上帝的玩具

Related news

Ubuntu Security Notice USN-6178-1

Ubuntu Security Notice 6178-1 - It was discovered that in SVG++ library that the demo application incorrectly managed memory resulting in a memory access violation under certain circumstances. An attacker could possibly use this issue to leak memory information or run a denial of service attack. This issue only affected Ubuntu 18.04 LTS. It was discovered that in SVG++ library that the demo application incorrectly handled null pointers under certain circumstances. An attacker could possibly use this issue to cause denial of service, leak memory information or manipulate program execution flow.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907