| 제목 | nicbarker clay v0.14 and master-branch Memory Corruption |
|---|
| 설명 | ### Description
We discovered a Segmentation Fault (SEGV) in clay. The crash occurs due to a READ memory access at address 0x000000000000 (Null Pointer Dereference) within the Clay__MeasureTextCached function.
Crucially, this crash is reproducible in RELEASE builds (-O3). This indicates that the issue is a runtime critical bug where a pointer is dereferenced without a prior validity check, causing the application to crash when processing malformed text elements.
### Environment
- OS: Linux x86_64
- Complier: Clang with -fsanitize=address
- Tools: AddressSanitizer
- Affected Version: `master branch`
### Vulnerability Details
- Target: Clay (clay.h)
- Crash Type: Segmentation Fault (SEGV) on READ access
- Location: clay.h:1666 (inside Clay__MeasureTextCached)
- Crash Address: 0x000000000000
- Root Cause Analysis: The stack trace shows the path Clay__OpenTextElement -> Clay__MeasureTextCached. The crash happens at line 1666 of clay.h. The ASan report explicitly states The signal is caused by a READ memory access at address 0x0. This suggests that Clay__MeasureTextCached attempts to access a member of a structure pointer that is NULL.
### Reproduce
1. Build Configuration: The issue was reproduced using a Release build with AddressSanitizer enabled. The specific flags used are as follows:
```
mkdir -p build && cd build \
cmake .. \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_C_FLAGS_RELEASE="-O3 -g -fsanitize=address -fno-omit-frame-pointer -UNDEBUG" \
-DCMAKE_CXX_FLAGS_RELEASE="-O3 -g -fsanitize=address -fno-omit-frame-pointer -UNDEBUG" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DCLAY_INCLUDE_ALL_EXAMPLES=OFF \
-DCLAY_INCLUDE_DEMOS=ON \
make -j$(nproc)
```
2. Compile the clay test [harness](https://github.com/oneafter/1215/blob/main/harness.c):
```
gcc -O3 -g -fsanitize=address -fno-omit-frame-pointer -UNDEBUG harness.c -o harness -fsanitize=address
```
3. Run the fuzzer harness with the attached [repro](https://github.com/oneafter/1215/blob/main/repro) input:
```
./harness repro
```
ASAN report
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==44944==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55eceb91b28e bp 0x7ffc4dbe5ce0 sp 0x7ffc4dbe59c0 T0)
==44944==The signal is caused by a READ memory access.
==44944==Hint: address points to the zero page.
#0 0x55eceb91b28e in Clay__MeasureTextCached /src/repro/clay/clay.h:1666
#1 0x55eceb926e68 in Clay__OpenTextElement /src/repro/clay/clay.h:2054
#2 0x55eceb9511dc in LLVMFuzzerTestOneInput /src/repro/clay/harness.c:123
#3 0x55eceb905883 in LLVMFuzzerTestOneInput /src/repro/clay/harness.c:30
#4 0x55eceb905883 in main /src/repro/clay/harness.c:188
#5 0x7fb035cc91c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#6 0x7fb035cc928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a)
#7 0x55eceb9059a4 in _start (/src/repro/clay/harness+0x69a4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/repro/clay/clay.h:1666 in Clay__MeasureTextCached
==44944==ABORTING
``` |
|---|
| 원천 | ⚠️ https://github.com/nicbarker/clay/issues/566 |
|---|
| 사용자 | Oneafter (UID 92781) |
|---|
| 제출 | 2026. 01. 07. AM 07:28 (5 개월 ago) |
|---|
| 모더레이션 | 2026. 01. 17. PM 05:23 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 341707 [nicbarker clay 까지 0.14 clay.h Clay__MeasureTextCached 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|