New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Several bugs need to be fixed. #178
Comments
|
file:heap_overflow1 |
|
file:heap_overflow2 ASAN report: |
|
file:heap_overflow3 |
|
file:null_pointer1 |
|
file:null_pointer2 |
|
file:dos |
|
file:memory_leak |
|
poc.zip |
|
I haven't fuzzed |
No worries, many people are fuzzing |
dont set INDXF when HANDSEED is missing. e.g. GH #178 null_pointer2 testcase
dont set INDXF when HANDSEED is missing. e.g. GH #178 null_pointer2 testcase
|
I'm having about 170 crashes in my pipeline, which seem to be ~4 missing new protections |
Yeah, I got ~700 crashes before, but I think these 7 bugs are useful. And GOOD job, these bugs seem to be done. |
decode fails when it overflows, but encode does not know its final dat->size, so introduce a sensible limit. Fixes the dos testcase of GH #178
not needed anymore, we only have UNKNOWN_OBJ or UNKNOWN_ENT with full common entity_data. Fixes GH #178 heap_overflow2
|
head_overflow2 is the most interesting and only remaining one. |
Exactly! This issue made me confused. So weired the structure is: |
and use it for TABLECONTENT. This is more stable than CLASS_DXF in cases when TABLE is mixed up with TABLECONTENT. See e.g. GH #178, where it fixes the heap_overflow2 case.
and use it for TABLECONTENT. This is more stable than CLASS_DXF in cases when TABLE is mixed up with TABLECONTENT. See e.g. GH #178, where it fixes the heap_overflow2 case.
and use it for TABLECONTENT. This is more stable than CLASS_DXF in cases when TABLE is mixed up with TABLECONTENT. See e.g. GH #178, where it fixes the heap_overflow2 case.
and use it for TABLECONTENT. This is more stable than CLASS_DXF in cases when TABLE is mixed up with TABLECONTENT. See e.g. GH #178, where it fixes the heap_overflow2 case.
|
All fixed in master since 3f503dd |
Well down! Are you requesting CVEs for me? |
|
These bugs are credited by Skyvast in ADLab of Venustech. |
|
No CVE's by me. Too busy preparing the next release. |
we really need to use our own for an reliable objid. It is treated just as a comment. Also fixup TableCellContent_Attr.index subclass field. Fixes GH #178 fuzzing crashes
though theoretically we could search for the type, as we do for our internal fixedtype. Fixes GH #178 fuzzing crashes
we really need to use our own for an reliable objid. It is treated just as a comment. Also fixup TableCellContent_Attr.index subclass field. Fixes GH #178 fuzzing crashes
though theoretically we could search for the type, as we do for our internal fixedtype. Fixes GH #178 fuzzing crashes
Hi,
I got some bugs, and I tested on master branch and version 0.9.3. There are 3 heap overflow, 2 NULL pointer deference, 1 denial of service, 1 stack overflow (this bug causes memory leak in master branch) in that.
Compile with ASAN and use dwgrewrite to repro that.
Hear are some details:
The text was updated successfully, but these errors were encountered: