إرسال #733341: raysan5 raylib 909f040 Heap-based Buffer Overflowالمعلومات

عنوان	raysan5 raylib 909f040 Heap-based Buffer Overflow
الوصف	### Description We discovered a Heap Buffer Overflow (Write) vulnerability in Raylib. The crash occurs within GenImageFontAtlas in src/rtext.c. The application attempts to write data 4 bytes past the end of a heap-allocated buffer (size 2MB). Vendor confirmed and fixed this vulnerability in commit [5a3391f](https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146). ### Environment - OS: Linux x86_64 - Complier: Clang with -fsanitize=address - Build Configure: Release - Affected Version: `master branch` ### Vulnerability Details - Target: Raylib - Crash Type: Heap-buffer-overflow (WRITE of size 1) - Source File: src/raylib/src/rtext.c - Function: GenImageFontAtlas - Line Number: 901 (Column 94) - Allocation Site: src/raylib/src/rtext.c:856 (Allocated 2,097,152 bytes) - Root Cause Analysis: The ASAN report shows a write violation at address 0x7f1baeaf7804, which is 4 bytes beyond the 2MB buffer allocated at line 856. The buffer appears to be the image data buffer for the font atlas. The loop at line 901 likely iterates through the packed glyphs to write their pixels into the atlas. It seems that the calculated destination index (or the packing logic) produces an offset that slightly exceeds the pre-calculated image size, causing an out-of-bounds write during the pixel copying process. ### Reproduce 1. Compile the raylib font test [harness](https://github.com/oneafter/1224/blob/main/harness_raylib_font.c) with AddressSanitizer enabled (-fsanitize=address -g) 2. Run the fuzzer harness with the attached [repro](https://github.com/oneafter/1224/blob/main/hbf2) input: ``` ./harness < repro ``` ASAN report ``` ==2307==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe905f18804 at pc 0x557117efe1e1 bp 0x7fffff239f60 sp 0x7fffff239f58 WRITE of size 1 at 0x7fe905f18804 thread T0 #0 0x557117efe1e0 in GenImageFontAtlas /src/raylib/src/rtext.c:901:94 #1 0x557117eddfbb in main /src/raylib/harness_raylib_font.c:49:27 #2 0x7fe9097141c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #3 0x7fe90971428a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x557117dfc724 in _start (/src/raylib/build_afl/harness_raylib_font+0x88724) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) 0x7fe905f18804 is located 4 bytes after 2097152-byte region [0x7fe905d18800,0x7fe905f18800) allocated by thread T0 here: #0 0x557117e9c73d in calloc (/src/raylib/build_afl/harness_raylib_font+0x12873d) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) #1 0x557117efc65c in GenImageFontAtlas /src/raylib/src/rtext.c:856:35 #2 0x557117eddfbb in main /src/raylib/harness_raylib_font.c:49:27 #3 0x7fe9097141c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x7fe90971428a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #5 0x557117dfc724 in _start (/src/raylib/build_afl/harness_raylib_font+0x88724) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/raylib/src/rtext.c:901:94 in GenImageFontAtlas Shadow bytes around the buggy address: 0x7fe905f18580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fe905f18600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fe905f18680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fe905f18700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fe905f18780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7fe905f18800:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fe905f18880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fe905f18900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fe905f18980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fe905f18a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fe905f18a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2307==ABORTING ``` ### Additional Evidence [repro](https://github.com/oneafter/1224/blob/main/hbf3_1) ``` ==3056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f46c2fdf84e at pc 0x559529d6c1e1 bp 0x7ffc2d5cc000 sp 0x7ffc2d5cbff8 WRITE of size 1 at 0x7f46c2fdf84e thread T0 #0 0x559529d6c1e0 in GenImageFontAtlas /src/raylib/src/rtext.c:901:94 #1 0x559529d4bfbb in main /src/raylib/harness_raylib_font.c:49:27 #2 0x7f46c36181c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #3 0x7f46c361828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x559529c6a724 in _start (/src/raylib/build_afl/harness_raylib_font+0x88724) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) 0x7f46c2fdf84e is located 78 bytes after 131072-byte region [0x7f46c2fbf800,0x7f46c2fdf800) allocated by thread T0 here: #0 0x559529d0a73d in calloc (/src/raylib/build_afl/harness_raylib_font+0x12873d) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) #1 0x559529d6a65c in GenImageFontAtlas /src/raylib/src/rtext.c:856:35 #2 0x559529d4bfbb in main /src/raylib/harness_raylib_font.c:49:27 #3 0x7f46c36181c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x7f46c361828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #5 0x559529c6a724 in _start (/src/raylib/build_afl/harness_raylib_font+0x88724) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/raylib/src/rtext.c:901:94 in GenImageFontAtlas Shadow bytes around the buggy address: 0x7f46c2fdf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f46c2fdf600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f46c2fdf680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f46c2fdf700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f46c2fdf780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7f46c2fdf800: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa 0x7f46c2fdf880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7f46c2fdf900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7f46c2fdf980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7f46c2fdfa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7f46c2fdfa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3056==ABORTING ```
المصدر	⚠️ https://github.com/raysan5/raylib/issues/5433
المستخدم	Oneafter (UID 92781)
ارسال	07/01/2026 07:16 AM (5 أشهر منذ)
الاعتدال	17/01/2026 05:11 PM (10 days later)
الحالة	تمت الموافقة
إدخال VulDB	341705 [raysan5 raylib حتى 909f040 src/rtext.c GenImageFontAtlas تلف الذاكرة]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!