जमा करें #733342: raysan5 raylib 909f040 Heap-based Buffer Overflowजानकारी

शीर्षक	raysan5 raylib 909f040 Heap-based Buffer Overflow
विवरण	### Description We discovered a Heap Buffer Overflow (Write) vulnerability in Raylib. The crash occurs within GenImageFontAtlas in src/rtext.c. The application attempts to write 1 byte before the start of a heap-allocated buffer. Vendor confirmed and fixed this vulnerability in commit [5a3391f](https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146). ### Environment - OS: Linux x86_64 - Complier: Clang with -fsanitize=address - Build Configure: Release - Affected Version: `master branch` ### Vulnerability Details - Target: Raylib - Crash Type: Heap-buffer-overflow (WRITE of size 1) / Heap Underflow - Source File: src/raylib/src/rtext.c - Function: GenImageFontAtlas - Line Number: 967 (Column 46) - Allocation Site: src/raylib/src/rtext.c:856 (Allocated only 1 byte) - Root Cause Analysis: The ASAN report indicates a write violation at 0x5020000008cf, which is 1 byte before the 1-byte region [0x5020000008d0, 0x5020000008d1). 1. Tiny Allocation: The destination buffer was allocated with a size of only 1 byte. This suggests that the calculated atlas dimensions (imgWidth * imgHeight * bpp) were extremely small (likely 1x1 pixel) due to specific input glyph parameters. 2. Negative Indexing: The code at line 967 likely performs pixel writing (e.g., pixels[index] = value). The crash implies that the calculated index was -1 (or equivalent pointer arithmetic resulted in base_ptr - 1), causing the write to land in the ASAN "Left Redzone". This often happens when padding calculations or loop counters underflow. ### Reproduce 1. Compile the raylib font test [harness](https://github.com/oneafter/1224/blob/main/harness_raylib_font.c) with AddressSanitizer enabled (-fsanitize=address -g) 2. Run the fuzzer harness with the attached [repro](https://github.com/oneafter/1224/blob/main/hbf3) input: ``` ./harness < repro ``` ASAN report ``` ==2602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000008cf at pc 0x564c245b7ec8 bp 0x7ffc152dfc80 sp 0x7ffc152dfc78 WRITE of size 1 at 0x5020000008cf thread T0 #0 0x564c245b7ec7 in GenImageFontAtlas /src/raylib/src/rtext.c:967:46 #1 0x564c24597fbb in main /src/raylib/harness_raylib_font.c:49:27 #2 0x7f8be13b61c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #3 0x7f8be13b628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x564c244b6724 in _start (/src/raylib/build_afl/harness_raylib_font+0x88724) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) 0x5020000008cf is located 1 bytes before 1-byte region [0x5020000008d0,0x5020000008d1) allocated by thread T0 here: #0 0x564c2455673d in calloc (/src/raylib/build_afl/harness_raylib_font+0x12873d) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) #1 0x564c245b665c in GenImageFontAtlas /src/raylib/src/rtext.c:856:35 #2 0x564c24597fbb in main /src/raylib/harness_raylib_font.c:49:27 #3 0x7f8be13b61c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x7f8be13b628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #5 0x564c244b6724 in _start (/src/raylib/build_afl/harness_raylib_font+0x88724) (BuildId: e4cb6e6c9d2ceaf7402b83966bc71e3ad01f720c) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/raylib/src/rtext.c:967:46 in GenImageFontAtlas Shadow bytes around the buggy address: 0x502000000600: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x502000000680: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa 0x502000000700: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x502000000780: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x502000000800: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x502000000880: fa fa fd fa fa fa fd fd fa[fa]01 fa fa fa fa fa 0x502000000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000000980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2602==ABORTING ```
स्रोत	⚠️ https://github.com/raysan5/raylib/issues/5434
उपयोगकर्ता	Oneafter (UID 92781)
सबमिशन	07/01/2026 07:17 AM (5 महीनों पहले)
संयम	17/01/2026 05:11 PM (10 days later)
स्थिति	प्रतिलिपि
VulDB प्रविष्टि	341705 [raysan5 raylib तक 909f040 src/rtext.c GenImageFontAtlas बफ़र ओवरफ़्लो]
अंक	0

◂ पिछला सिंहावलोकन अगला ▸

Do you know our Splunk app?

Download it now for free!