We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github address
https://github.com/ArchimedesCAD/libredwg
compile the test case in the source
./configure make gcc testSVG.c -I../src/ ../src/.libs/libredwg.a -lm -o fuzz_svg
test with poc
./fuzz_svg segment_poc
the gdb output
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x1f5 RBX: 0x0 RCX: 0x1b RDX: 0x2 RSI: 0x629390 --> 0x4003 RDI: 0x6d1480 --> 0x3000000017 RBP: 0x7fffffffd690 --> 0x7fffffffd6f0 --> 0x7fffffffe240 --> 0x7fffffffe260 --> 0x0 RSP: 0x7fffffffd668 --> 0x40171d (<output_BLOCK_HEADER+227>: mov QWORD PTR [rbp-0x10],rax) RIP: 0x401e0f (<get_first_owned_object+63>: mov rax,QWORD PTR [rax]) R8 : 0x7fffffff R9 : 0x414fc0 ("Found null object reference. Could not output an SVG symbol for this BLOCK_HEADER\n") R10: 0x7ffff7acc6a0 --> 0x0 R11: 0x246 R12: 0x400d90 (<_start>: xor ebp,ebp) R13: 0x7fffffffe340 --> 0x2 R14: 0x0 R15: 0x0 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x401e00 <get_first_owned_object+48>: repz ret 0x401e02 <get_first_owned_object+50>: nop WORD PTR [rax+rax*1+0x0] 0x401e08 <get_first_owned_object+56>: mov rax,QWORD PTR [rsi+0x98] => 0x401e0f <get_first_owned_object+63>: mov rax,QWORD PTR [rax] 0x401e12 <get_first_owned_object+66>: ret 0x401e13: data32 data32 data32 nop WORD PTR cs:[rax+rax*1+0x0] 0x401e20 <get_next_owned_object>: mov rax,QWORD PTR [rdi+0x30] 0x401e24 <get_next_owned_object+4>: mov eax,DWORD PTR [rax] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd668 --> 0x40171d (<output_BLOCK_HEADER+227>: mov QWORD PTR [rbp-0x10],rax) 0008| 0x7fffffffd670 --> 0x41519c --> 0x3e736665643c09 ('\t<defs>') 0016| 0x7fffffffd678 --> 0x6295f0 --> 0x6d1480 --> 0x3000000017 0024| 0x7fffffffd680 --> 0x0 0032| 0x7fffffffd688 --> 0x629390 --> 0x4003 0040| 0x7fffffffd690 --> 0x7fffffffd6f0 --> 0x7fffffffe240 --> 0x7fffffffe260 --> 0x0 0048| 0x7fffffffd698 --> 0x401935 (<output_SVG+469>: add DWORD PTR [rbp-0x34],0x1) 0056| 0x7fffffffd6a0 --> 0x40d1a0a52e680c34 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000401e0f in get_first_owned_object (hdr_obj=0x6d1480, hdr=0x629390) at dwg.c:359 359 return hdr->first_entity->obj; gdb-peda$ p hdr->first_entity $1 = (Dwg_Object_Ref *) 0x1f5 # !!!!!! illegal pointer gdb-peda$ p hdr->first_entity->obj Cannot access memory at address 0x1f5 gdb-peda$
As you can see, the hdr->first_entity is now a illegal pointer , and we got crash
hdr->first_entity
Program received signal SIGSEGV, Segmentation fault.
By using asan , I found this is an heap overflow vulnerability
the binary and the poc:
http://hac425.unaux.com/usr/uploads/2018/07/2407654350.zip
The text was updated successfully, but these errors were encountered:
No branches or pull requests
libredwg(crash)
github address
compile the test case in the source
test with poc
the gdb output
As you can see, the
hdr->first_entityis now a illegal pointer , and we got crashBy using asan , I found this is an heap overflow vulnerability
the binary and the poc:
The text was updated successfully, but these errors were encountered: