decode: improve appinfo is_teigha check

with corrupt APPINFO.version string shorter than 6 chars. e.g. by fuzzing. Fixes GH #252 fuzzing by @seviezhou Also extract 2 more common fields upfront.
LibreDWG · Jul 31, 2020 · 966beb5 · 966beb5
1 parent 8ebc76a
commit 966beb5
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 10 deletions.
diff --git a/src/appinfo.spec b/src/appinfo.spec
@@ -18,23 +18,19 @@
 
   #include "spec.h"
 
-  FIELD_RL (class_version, 0);      // 2-3
-  if (dwg->header.version < R_2007 && _obj->class_version < 3)
-    {
-      FIELD_TU16 (appinfo_name, 0);  // AppInfoDataList
+  FIELD_RL (class_version, 0);     // 2-3
+  FIELD_TU16 (appinfo_name, 0);    // AppInfoDataList
 #ifndef IS_JSON
-      FIELD_RL (num_strings, 0);     // 3
+  FIELD_RL (num_strings, 0);       // 2-3
 #endif
+  if (dwg->header.version < R_2007 && _obj->class_version < 3)
+    {
       FIELD_TU16 (comment, 0);
       FIELD_TU16 (product_info, 0);
       FIELD_TU16 (version, 0);
     }
   else
     {
-      FIELD_TU16 (appinfo_name, 0);    // AppInfoDataList
-#ifndef IS_JSON
-      FIELD_RL (num_strings, 0);       // 2-3
-#endif
       FIELD_TFFx (version_checksum, 16, 0);
       FIELD_TU16 (version, 0); // "Teigha(R) 4.3.2.0", AutoCAD: "19.0.55.0.0"
       FIELD_TFFx (comment_checksum, 16, 0);

diff --git a/src/decode.c b/src/decode.c
@@ -2988,7 +2988,7 @@ appinfo_private (Bit_Chain *restrict dat, Dwg_Data *restrict dwg)
   #include "appinfo.spec"
   // clang-format on
 
-  if (_obj->version && *_obj->version)
+  if (_obj->version && bit_wcs2len (_obj->version) >= 6)
     {
       is_teigha = memcmp (_obj->version, "T\0e\0i\0g\0h\0a\0", 12) == 0;
       LOG_TRACE ("is_teigha: %s\n", is_teigha ? "true" : "false")