Report: Segmentation fault on write #221
Description
Hi,
I found the following two crashing inputs while doing fuzzing research.
Both inputs make svg2png crash without ASAN.
Input 1: <svg><path d=" m -6977508458321 , 9577z"/></svg>
Input 2: <svg><path d=" M570 +7704969,80, +1z"/></svg>
username@machine:~/lunasvg_crash/lunasvg$ ./build/examples/svg2png input-1.svg
AddressSanitizer:DEADLYSIGNAL
=================================================================
==448418==ERROR: AddressSanitizer: SEGV on unknown address 0x603000010000 (pc 0x55f6253f8f88 bp 0x7ffe892838b0 sp 0x7ffe89283788 T0)
==448418==The signal is caused by a WRITE memory access.
#0 0x55f6253f8f88 in plutovg_memfill32 (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x110f88)
#1 0x55f6253f099d in plutovg_surface_clear (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x10899d)
#2 0x55f6252fd0ed in lunasvg::Bitmap::clear(unsigned int) /home/username/lunasvg_crash/lunasvg/source/lunasvg.cpp:101
#3 0x55f6253038fb in lunasvg::Document::renderToBitmap(int, int, unsigned int) const /home/username/lunasvg_crash/lunasvg/source/lunasvg.cpp:503
#4 0x55f6252fbc3b in main /home/username/lunasvg_crash/lunasvg/examples/svg2png.cpp:55
#5 0x748478829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x748478829e3f in __libc_start_main_impl ../csu/libc-start.c:392
#7 0x55f6252fb344 in _start (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x13344)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x110f88) in plutovg_memfill32
==448418==ABORTING
username@machine:~/lunasvg_crash/lunasvg$ ./build/examples/svg2png input-2.svg
AddressSanitizer:DEADLYSIGNAL
=================================================================
==448419==ERROR: AddressSanitizer: SEGV on unknown address 0x7145e8185000 (pc 0x5880fd71c101 bp 0x7ffd55216fe0 sp 0x7ffd55216eb8 T0)
==448419==The signal is caused by a WRITE memory access.
#0 0x5880fd71c101 in plutovg_memfill32 (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x111101)
#1 0x5880fd71399d in plutovg_surface_clear (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x10899d)
#2 0x5880fd6200ed in lunasvg::Bitmap::clear(unsigned int) /home/username/lunasvg_crash/lunasvg/source/lunasvg.cpp:101
#3 0x5880fd6268fb in lunasvg::Document::renderToBitmap(int, int, unsigned int) const /home/username/lunasvg_crash/lunasvg/source/lunasvg.cpp:503
#4 0x5880fd61ec3b in main /home/username/lunasvg_crash/lunasvg/examples/svg2png.cpp:55
#5 0x7145eb829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7145eb829e3f in __libc_start_main_impl ../csu/libc-start.c:392
#7 0x5880fd61e344 in _start (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x13344)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/username/lunasvg_crash/lunasvg/build/examples/svg2png+0x111101) in plutovg_memfill32
==448419==ABORTING
Thanks,
Leon