Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lottie: Runtime crash by heap-buffer-overflow #3102

Closed
tinyjin opened this issue Jan 7, 2025 · 6 comments
Closed

lottie: Runtime crash by heap-buffer-overflow #3102

tinyjin opened this issue Jan 7, 2025 · 6 comments
Assignees
@hermet @tinyjin
Labels
bug Something isn't working raster Rasterizers (sw/gl/wg) showstopper Regression bugs / Critical errors
Milestone
1.0

Comments

@tinyjin
Copy link
Member

tinyjin commented Jan 7, 2025

Animation File: sample.json

Crashes on landscape resolution (w > h)

Related: LottieFiles/dotlottie-ios#49

CleanShot 2025-01-07 at 13 09 37@2x

CleanShot 2025-01-07 at 13 09 51@2x

CleanShot 2025-01-07 at 13 10 04@2x
@tinyjin tinyjin added bug Something isn't working lottie Lottie animation labels Jan 7, 2025
@hermet hermet added the showstopper Regression bugs / Critical errors label Jan 7, 2025
@hermet hermet added this to ThorVG Jan 7, 2025
@hermet hermet added this to the 1.0 milestone Jan 7, 2025
@hermet hermet added raster Rasterizers (sw/gl/wg) and removed lottie Lottie animation labels Jan 7, 2025
@hermet hermet self-assigned this Jan 8, 2025
@hermet hermet moved this to In Progress in ThorVG Jan 8, 2025
hermet added a commit that referenced this issue Jan 8, 2025
@hermet
sw_engine: ++casting compatibility
fcd184e 
issue: #3102
hermet added a commit that referenced this issue Jan 8, 2025
@hermet
sw_engine: ++portability on macOS
8c1aa90 
fixed a runtime error report of the sanitizer
at data casting.

issue: #3102
@hermet hermet mentioned this issue Jan 8, 2025
Merged
@hermet
Copy link
Member

hermet commented Jan 8, 2025
edited
Loading

@tinyjin Could you please test with this PR? I couldn't reproduce the crash on my macOS / linux.

@tinyjin
Copy link
Member Author

tinyjin commented Jan 8, 2025

CleanShot 2025-01-08 at 17 30 14@2x

Still happenes

@tinyjin Could you please test with this PR? I couldn't reproduce the crash on my macOS / linux.

hermet added a commit that referenced this issue Jan 8, 2025
@hermet
sw_engine: ++portability on macOS
26a35e7 
fixed a runtime error report of the sanitizer
at data casting.

issue: #3102
hermet added a commit that referenced this issue Jan 8, 2025
@hermet
sw_engine: ++portability on macOS
3d6fe5f 
fixed a runtime error report of the sanitizer
at data casting.

issue: #3102
@hermet
Copy link
Member

hermet commented Jan 9, 2025

@tinyjin could you please share the following value at the crash point?

vv, sw, uu and image->w, image->h

@elahav
Copy link

elahav commented Jan 9, 2025

Could this be the same issue I reported today in the discussion section? See my patch there:

https://github.com/orgs/thorvg/discussions/3109

@hermet
Copy link
Member

hermet commented Jan 10, 2025

Could this be the same issue I reported today in the discussion section? See my patch there:

https://github.com/orgs/thorvg/discussions/3109

@elahav I guess not. :-)

@tinyjin tinyjin mentioned this issue Jan 10, 2025
Merged
@tinyjin
Copy link
Member Author

tinyjin commented Jan 10, 2025

@tinyjin could you please share the following value at the crash point?

vv, sw, uu and image->w, image->h

Sure, here is a log I've gotten.

CleanShot 2025-01-10 at 16 48 48@2x

hermet pushed a commit that referenced this issue Jan 16, 2025
@tinyjin @hermet
sw_engine: Fix buffer overflow in texture mapping rasterizer
328a40a 
Fix heap buffer overflow in texture mapping rasterizer by adding proper
bounds checking for texture coordinates. This prevents accessing memory
outside of the allocated image buffer during texture sampling and
interpolation.

Co-Authored-By: Hermet Park <[email protected]>

issue: #3102
hermet pushed a commit that referenced this issue Jan 16, 2025
@tinyjin @hermet
sw_engine: Fix buffer overflow in texture mapping rasterizer
1704ddb 
Fix heap buffer overflow in texture mapping rasterizer by adding proper
bounds checking for texture coordinates. This prevents accessing memory
outside of the allocated image buffer during texture sampling and
interpolation.

Co-Authored-By: Hermet Park <[email protected]>

issue: #3102
hermet pushed a commit that referenced this issue Jan 16, 2025
@tinyjin
sw_engine: Fix buffer overflow in texture mapping rasterizer
6102874 
Fix heap buffer overflow in texture mapping rasterizer by adding proper
bounds checking for texture coordinates. This prevents accessing memory
outside of the allocated image buffer during texture sampling and
interpolation.

Co-Authored-By: Hermet Park <[email protected]>

issue: #3102
@hermet hermet closed this as completed Jan 16, 2025
@github-project-automation github-project-automation bot moved this from In Progress to Done 0.10 in ThorVG Jan 16, 2025
@hermet hermet moved this from Done 0.10 to Done 1.0 in ThorVG Jan 16, 2025
mgrudzinska pushed a commit to mgrudzinska/thorvg that referenced this issue Jan 16, 2025
@hermet @mgrudzinska
sw_engine: ++portability on macOS
949c918 
fixed a runtime error report of the sanitizer
at data casting.

issue: thorvg#3102
mgrudzinska pushed a commit to mgrudzinska/thorvg that referenced this issue Jan 16, 2025
@tinyjin @mgrudzinska
sw_engine: Fix buffer overflow in texture mapping rasterizer
c64624c 
Fix heap buffer overflow in texture mapping rasterizer by adding proper
bounds checking for texture coordinates. This prevents accessing memory
outside of the allocated image buffer during texture sampling and
interpolation.

Co-Authored-By: Hermet Park <[email protected]>

issue: thorvg#3102
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hermet hermet

@tinyjin tinyjin

Labels
bug Something isn't working raster Rasterizers (sw/gl/wg) showstopper Regression bugs / Critical errors
Projects
ThorVG
Status: Done 1.0
Milestone
1.0
Development

No branches or pull requests
3 participants
@hermet @tinyjin @elahav