New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Several bugs found by fuzzing #179
Comments
2.heap-buffer-overflow in bit_search_sentinel ../../src/bits.c:1844
|
3.heap-buffer-overflow in bfr_read ../../src/decode.c:1548
|
4.Crafted input will lead to Memory allocation failed in read_sections_map ../../src/decode_r2007.c:917
|
5.heap-buffer-overflow in copy_compressed_bytes ../../src/decode_r2007.c:233
|
6.NULL pointer dereference in get_next_owned_entity ../../src/dwg.c:935
|
7.NULL pointer dereference in dwg_dynapi_entity_value /home/user/linhlhq/libredwg/asan_build/src/gen-dynapi.pl:1395
|
Thanks, but dwg2svg2 is not even installed. cannot you just fuzz the official dwg2SVG instead? |
length is a user value, add src_end. Fixes GH #179, case 5
skip section when >0xf0000. Fixes case 4 if GH #179
off by 16, the sentinel length. Fixes case 2 of GH #179
fix another head overflow to the right side this time. Found by the 2nd fuzzing round GH #179
Hi,
After fuzzing libredwg, I found the following bugs on the latest commit on master.
Command: ./dwg2svg2 $PoC
1.heap-buffer-overflow in read_pages_map ../../src/decode_r2007.c:1007
POC: https://github.com/linhlhq/research/blob/master/PoCs/libreDWG_0.9.3.2564/id:000239%2Csig:06%2Csrc:007083%2Cop:havoc%2Crep:4
ASAN says:
The text was updated successfully, but these errors were encountered: