POC:
https://pan.baidu.com/s/1_V7Y8oZt2qBO2QUvlyLZrA
descrtiption:
Dead Block DOS,a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.
ptPathCmd = svgNewPathCommand( g_atPathCommandFormat[ uiCmdIdx ].tId );
uiCmdIdx is always set to 18
const char* svgGetNextPathField( const char *szData, char *szField )
{
const char *szStart = NULL, *szEnd = NULL;
if( szData==NULL || szField==NULL )
return NULL;
szField[ 0 ] = '\0';
// FIXME: Make sure that this "M100,100L200,500" will be parsed...
// Search for the start of the field
szStart = szData;
while( *szStart!='\0' && ( *szStart=='\t' || *szStart=='\r' || *szStart=='\n' || *szStart==' ' || *szStart==',' ) ) {
szStart ++;
}
if( *szStart=='\0' )
return NULL;
// Search for the end
szEnd = szStart + 1;
while( *szEnd!='\0' && *szEnd!='\t' && *szEnd!='\r' && *szEnd!='\n' && *szEnd!=' ' && *szEnd!=',' ) {
szEnd ++;
}
strncpy( szField, szStart, ( size_t )( szEnd - szStart ) );
szField[ szEnd - szStart ] = 0;
return szStart;
}
If None of the branches which can affect the value of szStart, szStart will return the same value which is delivered as a parameter. Unfortunately, a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.
POC:
https://pan.baidu.com/s/1_V7Y8oZt2qBO2QUvlyLZrA
descrtiption:
Dead Block DOS,a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.
ptPathCmd = svgNewPathCommand( g_atPathCommandFormat[ uiCmdIdx ].tId );uiCmdIdx is always set to 18
If None of the branches which can affect the value of szStart, szStart will return the same value which is delivered as a parameter. Unfortunately, a malloc operation is done just in this Dead Block, which will lead to system's memory being wasted and finally may lead to the collapse of system.