Headline
CVE-2023-37769: FPE in stress-test (#76) · Issues · Pixman / pixman · GitLab
stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.
Hi, developers of pixman: In the test of the binary pixman instrumented with ASAN. There is an FPE vulnerability in stress-test on the master branch. I feed the picture provided in the demos.
Here is the ASAN mode output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18520==ERROR: AddressSanitizer: FPE on unknown address 0x0000006b07cc (pc 0x0000006b07cc bp 0x7ffe8744a4d0 sp 0x7ffe8744a470 T0)
#0 0x6b07cc in combine_inner /pixman/pixman/pixman-combine-float.c
#1 0x6b07cc in combine_conjoint_atop_u_float /pixman/pixman/pixman-combine-float.c:313:1
#2 0x5ce158 in general_composite_rect /pixman/pixman/pixman-general.c:230:2
#3 0x4e2749 in pixman_image_composite32 /pixman/pixman/pixman.c:700:2
#4 0x4c8352 in run_test /pixman/test/stress-test.c:966:13
#5 0x4c669d in main /pixman/test/stress-test.c:1074:6
#6 0x7f3323dd6c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41c639 in _start (/pixman/test/stress-test+0x41c639)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /pixman/pixman/pixman-combine-float.c in combine_inner
==18520==ABORTING
Crash input
/pixman/demos/zone_plate.png
Environment
Ubuntu 16.04
Clang 10.0.1
gcc 5.5
Edited Jul 04, 2023 by