decode: protect LTYPE.dash_i from overflowing 512

Add bit_wcs2nlen with maxlen. Fixes fuzzing GH #255 by @seviezhou
LibreDWG · Jul 31, 2020 · 4b99edb · 4b99edb
1 parent a5c20cd
commit 4b99edb
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 1 deletion.
diff --git a/src/bits.c b/src/bits.c
@@ -1602,6 +1602,45 @@ bit_embed_TU_size (BITCODE_TU restrict wstr, const int len)
   return str;
 }
 
+/* len of wide string (unix-only) */
+int
+bit_wcs2nlen (BITCODE_TU restrict wstr, const size_t maxlen)
+{
+  size_t len;
+
+  if (!wstr)
+    return 0;
+  len = 0;
+#  ifdef HAVE_ALIGNED_ACCESS_REQUIRED
+  // for strict alignment CPU's like sparc only. also for UBSAN.
+  if ((uintptr_t)wstr % SIZEOF_SIZE_T)
+    {
+      unsigned char *b = (unsigned char *)wstr;
+      uint16_t c = (b[0] << 8) + b[1];
+      while (c)
+        {
+          len++;
+          if (len > maxlen)
+            return 0;
+          b += 2;
+          c = (b[0] << 8) + b[1];
+        }
+      return (int)len;
+    }
+  else
+#  endif
+  {
+    BITCODE_TU c = wstr;
+    while (*c++)
+      {
+        len++;
+        if (len > maxlen)
+          return 0;
+      }
+    return (int)len;
+  }
+}
+
 #ifndef HAVE_NATIVE_WCHAR2
 
 /* len of wide string (unix-only) */

diff --git a/src/bits.h b/src/bits.h
@@ -260,6 +260,9 @@ int bit_wcs2len (BITCODE_TU restrict wstr);
 BITCODE_TU bit_wcs2cpy (BITCODE_TU restrict dest, const BITCODE_TU restrict src);
 int bit_wcs2cmp (BITCODE_TU restrict s1, const BITCODE_TU restrict s2);
 #endif
+/* bounded length of UCS-2 string. stops scanning at maxlen.
+   Beware: might overflow to negative lengths */
+int bit_wcs2nlen (BITCODE_TU restrict wstr, const size_t maxlen);
 
 /* Converts UCS-2 to UTF-8, returning a copy. */
 EXPORT char *bit_convert_TU (BITCODE_TU restrict wstr) ATTRIBUTE_MALLOC;

diff --git a/src/dwg.spec b/src/dwg.spec
@@ -3014,8 +3014,10 @@ DWG_OBJECT (LTYPE)
             if (_obj->dashes[rcount1].shape_flag & 2)
               {
                 static int dash_i = 0;
+                if (dash_i >= 512)
+                  break;
                 _obj->dashes[rcount1].text = (char*)&_obj->strings_area[dash_i];
-                dash_i += bit_wcs2len ((BITCODE_TU)_obj->dashes[rcount1].text) + 2;
+                dash_i += bit_wcs2nlen ((BITCODE_TU)_obj->dashes[rcount1].text, 512 - dash_i) + 2;
               }
           }
       }