z2d Graphics Library Out-of-Bounds Write Vulnerability Leading to Memory Corruption

A vulnerability exists in the z2d graphics library for Zig, specifically in versions after 0.5.1 and up to 0.6.0. The issue arises when writing from one surface to another using the StrideCompositor, particularly with higher-level operations like Context.fill, Context.stroke, painter.fill, and painter.stroke', when the anti-aliasing mode is set to 'default'. The vulnerability allows the source surface to extend completely out-of-bounds on the x-axis, but not the y-axis, through a negative offset. This creates an overflow in the value that determines the length of the stride, potentially leading to invalid memory access or corruption, especially in non-safe optimization modes such as 'ReleaseFast' or 'ReleaseSmall'.

Impact

Exploitation of this vulnerability could result in invalid memory access or corruption, particularly for users compiling with non-safe optimization modes.

Reproduction

The vulnerability can be reproduced by creating a surface and a context, then performing drawing operations that intentionally extend beyond the surface bounds on the x-axis while keeping within the y-axis limits. This can be done by using negative offsets in the drawing commands, which will trigger the out-of-bounds condition and cause the library to panic by attempting to convert a negative value into an unsigned integer. This issue can be observed in the z2d issue #104.

Remediation

Users are advised to update to version 0.6.1. Those on an untagged version after 0.5.1 and before 0.6.1 should also update, and users still on Zig 0.13.0 are recommended to downgrade to 0.5.1.