Headline
CVE-2020-26682: Bug in ass_outline.c:1354: _Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int): Assertion `rad >= eps' failed. · Issue #431 · libass/libass
In libass 0.14.0, the ass_outline_construct
's call to outline_stroke
causes a signed integer overflow.
fuzzer & poc
libass.zip
gdb:
fstark@fstark-virtual-machine:~/libass$ gdb ./libass_fuzzer
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./libass_fuzzer...done.
(gdb) r out/fuzz5/crashes/id\:000000\,sig\:06\,src\:000046+000020\,time\:11326439\,op\:splice\,rep\:128
Starting program: /home/fstark/libass/libass_fuzzer out/fuzz5/crashes/id\:000000\,sig\:06\,src\:000046+000020\,time\:11326439\,op\:splice\,rep\:128
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
======================= INFO =========================
This binary is built for AFL-fuzz.
To run the target function on individual input(s) execute this:
/home/fstark/libass/libass_fuzzer < INPUT_FILE
or
/home/fstark/libass/libass_fuzzer INPUT_FILE1 [INPUT_FILE2 ... ]
To fuzz with afl-fuzz execute this:
afl-fuzz [afl-flags] /home/fstark/libass/libass_fuzzer [-N]
afl-fuzz will run N iterations before re-spawning the process (default: 1000)
======================================================
Reading 11249 bytes from out/fuzz5/crashes/id:000000,sig:06,src:000046+000020,time:11326439,op:splice,rep:128
libass_fuzzer: ass_outline.c:1354: _Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int): Assertion `rad >= eps' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff6efa428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
(gdb) t
[Current thread is 1 (Thread 0x7ffff7fdb780 (LWP 25974))]
(gdb) bt
#0 0x00007ffff6efa428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff6efc02a in __GI_abort () at abort.c:89
#2 0x00007ffff6ef2bd7 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@entry=0x66d940 <.str.3> "rad >= eps",
file=file@entry=0x66d820 <.str.1> "ass_outline.c", line=line@entry=1354,
function=function@entry=0x66d980 <__PRETTY_FUNCTION__.outline_stroke> "_Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int)") at assert.c:92
#3 0x00007ffff6ef2c82 in __GI___assert_fail (assertion=0x66d940 <.str.3> "rad >= eps",
file=0x66d820 <.str.1> "ass_outline.c", line=1354,
function=0x66d980 <__PRETTY_FUNCTION__.outline_stroke> "_Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int)") at assert.c:101
#4 0x000000000050911f in outline_stroke () at ass_outline.c:1354
#5 0x00000000004de968 in ass_outline_construct () at ass_render.c:1222
#6 0x000000000052327d in ass_cache_get () at ass_cache.c:404
#7 0x00000000004f2bb8 in get_bitmap_glyph () at ass_render.c:1456
#8 0x00000000004ed5db in render_and_combine_glyphs () at ass_render.c:2359
#9 0x00000000004e39e9 in ass_render_event () at ass_render.c:2787
#10 0x00000000004e17d7 in ass_render_frame () at ass_render.c:3153
#11 0x00000000004cc94d in LLVMFuzzerTestOneInput () at /src/libass_fuzzer.cc:45
#12 0x00000000004ccf5f in ExecuteFilesOnyByOne () at /src/libfuzzer/afl/afl_driver.cpp:217
#13 main () at /src/libfuzzer/afl/afl_driver.cpp:254