[Bug] Segmentation Fault (SEGV) in Clay__MeasureTextCached #566
Description
Description
We discovered a Segmentation Fault (SEGV) in clay. The crash occurs due to a READ memory access at address 0x000000000000 (Null Pointer Dereference) within the Clay__MeasureTextCached function.
Crucially, this crash is reproducible in RELEASE builds (-O3). This indicates that the issue is a runtime critical bug where a pointer is dereferenced without a prior validity check, causing the application to crash when processing malformed text elements.
Environment
- OS: Linux x86_64
- Complier: Clang with -fsanitize=address
- Tools: AddressSanitizer
- Affected Version:
master branch
Vulnerability Details
- Target: Clay (clay.h)
- Crash Type: Segmentation Fault (SEGV) on READ access
- Location: clay.h:1666 (inside Clay__MeasureTextCached)
- Crash Address: 0x000000000000
- Root Cause Analysis: The stack trace shows the path Clay__OpenTextElement -> Clay__MeasureTextCached. The crash happens at line 1666 of clay.h. The ASan report explicitly states The signal is caused by a READ memory access at address 0x0. This suggests that Clay__MeasureTextCached attempts to access a member of a structure pointer that is NULL.
Reproduce
- Build Configuration: The issue was reproduced using a Release build with AddressSanitizer enabled. The specific flags used are as follows:
mkdir -p build && cd build \
cmake .. \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_C_FLAGS_RELEASE="-O3 -g -fsanitize=address -fno-omit-frame-pointer -UNDEBUG" \
-DCMAKE_CXX_FLAGS_RELEASE="-O3 -g -fsanitize=address -fno-omit-frame-pointer -UNDEBUG" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DCLAY_INCLUDE_ALL_EXAMPLES=OFF \
-DCLAY_INCLUDE_DEMOS=ON \
make -j$(nproc)
- Compile the clay test harness:
gcc -O3 -g -fsanitize=address -fno-omit-frame-pointer -UNDEBUG harness.c -o harness -fsanitize=address
- Run the fuzzer harness with the attached repro input:
./harness repro
ASAN report
AddressSanitizer:DEADLYSIGNAL
=================================================================
==44944==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55eceb91b28e bp 0x7ffc4dbe5ce0 sp 0x7ffc4dbe59c0 T0)
==44944==The signal is caused by a READ memory access.
==44944==Hint: address points to the zero page.
#0 0x55eceb91b28e in Clay__MeasureTextCached /src/repro/clay/clay.h:1666
#1 0x55eceb926e68 in Clay__OpenTextElement /src/repro/clay/clay.h:2054
#2 0x55eceb9511dc in LLVMFuzzerTestOneInput /src/repro/clay/harness.c:123
#3 0x55eceb905883 in LLVMFuzzerTestOneInput /src/repro/clay/harness.c:30
#4 0x55eceb905883 in main /src/repro/clay/harness.c:188
#5 0x7fb035cc91c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#6 0x7fb035cc928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a)
#7 0x55eceb9059a4 in _start (/src/repro/clay/harness+0x69a4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/repro/clay/clay.h:1666 in Clay__MeasureTextCached
==44944==ABORTING