[Bug Report] Heap buffer overflow in SkSVGSVG with AddressSanitizer - 840-byte allocation issue in construct_svg_node()
22 views
Skip to first unread message
Jacob Sologub
Jul 1, 2025, 8:42:08 AM7/1/25
to skia-discuss
Hi Skia team,
I'm encountering a heap buffer overflow in SVG handling that occurs when Address Sanitizer is enabled in Xcode.
## Issue Summary
- construct_svg_node() allocates exactly 840 bytes for SkSVGSVG objects
- The SkTLazy<SkRect> viewBox member is positioned at the memory boundary
- Calling getViewBox() triggers a copy constructor that reads 20 bytes past the allocation
- Only crashes with AddressSanitizer; without it, silently reads uninitialized memory
## Environment
- Platform: macOS 15.5 (BuildVersion: 24F74), arm64
- Skia version: bb166c8595
- Compiler: Xcode with Address Sanitizer enabled
## Minimal Reproduction
```cpp
SkFILEStream stream("/path/to/any/valid.svg"); // Any SVG file triggers this
if (stream.isValid()) {
auto svg = SkSVGDOM::MakeFromStream(stream);
auto root = svg->getRoot();
auto viewBox = root->getViewBox(); // Heap buffer overflow here
}
I'm encountering a heap buffer overflow in SVG handling that occurs when Address Sanitizer is enabled in Xcode.
## Issue Summary
- construct_svg_node() allocates exactly 840 bytes for SkSVGSVG objects
- The SkTLazy<SkRect> viewBox member is positioned at the memory boundary
- Calling getViewBox() triggers a copy constructor that reads 20 bytes past the allocation
- Only crashes with AddressSanitizer; without it, silently reads uninitialized memory
## Environment
- Platform: macOS 15.5 (BuildVersion: 24F74), arm64
- Skia version: bb166c8595
- Compiler: Xcode with Address Sanitizer enabled
## Minimal Reproduction
```cpp
SkFILEStream stream("/path/to/any/valid.svg"); // Any SVG file triggers this
if (stream.isValid()) {
auto svg = SkSVGDOM::MakeFromStream(stream);
auto root = svg->getRoot();
auto viewBox = root->getViewBox(); // Heap buffer overflow here
}
## Abridged AddressSanitizer Output
READ of size 20 at 0x61800004cbc8
0x61800004cbc8 is located 0 bytes after 840-byte region
Stack trace:
#0 __asan_memcpy+0x394
#1 SkTLazy<SkRect>::SkTLazy(SkTLazy<SkRect> const&) // Copy constructor
#2 SkSVGSVG::getViewBox() const
Allocation trace:
#1 construct_svg_node(SkDOM const&, ConstructionContext const&, SkDOMNode const*)
#2 SkSVGDOM::Builder::make(SkStream&) const
#3 SkSVGDOM::MakeFromStream(SkStream&)
0x61800004cbc8 is located 0 bytes after 840-byte region
Stack trace:
#0 __asan_memcpy+0x394
#1 SkTLazy<SkRect>::SkTLazy(SkTLazy<SkRect> const&) // Copy constructor
#2 SkSVGSVG::getViewBox() const
Allocation trace:
#1 construct_svg_node(SkDOM const&, ConstructionContext const&, SkDOMNode const*)
#2 SkSVGDOM::Builder::make(SkStream&) const
#3 SkSVGDOM::MakeFromStream(SkStream&)
-Jacob
Reply all
Reply to author
Forward
0 new messages