encode: disallow 3DSOLID num_blocks calculation

from block_size[]. this might overflow with fuzzed/malicious data. all our input data (dwg. dxf, json) already sets num_blocks to a correct value already. Fixes oss-fuzz issue 32165 with dwgrewrite (broken block_sizes vector)
LibreDWG · Mar 18, 2021 · 084083c · 084083c
1 parent 9712e2f
commit 084083c
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/dwg.spec b/src/dwg.spec
@@ -2159,12 +2159,15 @@ static int encode_3dsolid (Bit_Chain* dat, Bit_Chain* hdl_dat,
               LOG_TRACE ("default block_size[0] = %d\n", (int)FIELD_VALUE (block_size[0]));
               num_blocks = 1;
             }
+          /* insecure. e.g. oss-fuzz issue 32165
+             all inouts: dwg, injson and indxf have correct num_blocks values
           else if (!num_blocks)
             {
               num_blocks = 0;
               for (i = 0; FIELD_VALUE (block_size[i]); i++)
                 num_blocks++;
             }
+          */
           LOG_TRACE ("acis_data:\n%s\n", FIELD_VALUE (acis_data));
           for (i = 0; FIELD_VALUE (block_size[i]) && i < num_blocks; i++)
             {