New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Several bugs found by fuzzing #176
Comments
|
2.Crafted input will lead to Memory allocation failed in dwg_decode_LWPOLYLINE_private (src/dwg.spec:4105) |
|
3.Crafted input will lead to Memory allocation failed in decode_3dsolid (src/dwg.spec:1801) |
|
4.Crafted input will lead to Memory allocation failed in dwg_decode_HATCH_private (src/dwg.spec:3774) |
|
5.Double-free in dwg_free (src/free.c:837) |
|
6.Heap-use-after-free in resolve_objectref_vector (src/decode.c:1434) |
|
7.Heap-buffer-overflow in decode_R13_R2000 (src/decode.c:1315) |
|
8.Crafted input will lead to Memory allocation failed in decode_preR13_section (src/decode.c:315) |
|
9.Heap-buffer-overflow in decode_preR13_section (src/decode.c:350) |
|
10.Heap-buffer-overflow in bit_search_sentinel (src/bits.c:1825) |
|
I can repro all |
|
I'll ignore the preR13 error (id 000008), as this code is not stable yet, and disabled in releases. |
Let the ref loop in dwg_free() free those refs. Fixes case 5 of GH #176.
earlier DWGs can also be broken to include wrong REPEAT counts. Fixes Case 3 of GH #176
|
Yes, when you fix all the bugs in the release I will come back. |
|
Done in the |
|
Did you fix all the bugs I reported above? Except for bug 8. lead to Memory allocation failed in decode_preR13_section |
and optional byte overflow counter to abort >200 errors. Helpful in fuzzing, but not really useful for libs, the program must install a SIGABRT handler then. Fixes part of the remaining GH #176 case 9 (id:000024)
various int overflows. Fixes GH #176, case 8.
|
All fixed now |
|
yeah, that was awesome. Can you help me request cve for the above bugs? Thank you. |
|
You cannot CVE's for the preR13 bugs, because that code is disabled with releases. |
|
@rurban So are there any other bugs you can help me with? With bugs from 1 to 7 I report above. |
|
@rurban Can you cliff notes if any of them were in active code and link to the fixing commits? |
|
It appears these were assigned: |
|
Thanks, I'll have to mark them as fixed by the latest release 0.9.3 |
There is one fuzzing testcase in GH #176 with some broken sections
More fuzzing testcase in GH #176 with some broken sections
|
@rurban Can I request cve for preR13 bugs? Or can you request for me? Thanks. |
|
These cannot be CVE's as this code is disabled in releases.
linhlhq <notifications@github.com> schrieb am Mi., 1. Jan. 2020, 11:21:
… @rurban <https://github.com/rurban> Can I request cve for preR13 bugs? Or
can you request for me? Thanks.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#176?email_source=notifications&email_token=AAAKGUKXAWN4WBUHYJMUTPLQ3RVBZA5CNFSM4J62I26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEH5CARI#issuecomment-570040389>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAKGULY6L3JRIK6R662AMLQ3RVBZANCNFSM4J62I26A>
.
|
|
Verified them to be fixed with 3f515d5 (for the upcoming 0.10) also |
Hi,
After fuzzing libredwg, I found the following bugs on the latest commit on master.
Command: dwg2dxf $PoC
1.Crafted input will lead to Memory allocation failed in dwg_decode_SPLINE_private (src/dwg.spec:1639)
PoC: https://github.com/linhlhq/research/blob/master/PoCs/libreDWG/id:000000%2Csig:06%2Csrc:000000%2Cop:flip1%2Cpos:36317
ASAN says:
Thanks,
Linhlhq from Infiniti Team, VinCSS (a member of Vingroup) # #
The text was updated successfully, but these errors were encountered: