Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap over flow #183

Closed
linhlhq opened this issue Jan 13, 2020 · 2 comments
Closed

Heap over flow #183

linhlhq opened this issue Jan 13, 2020 · 2 comments
Assignees
Labels
bug Something isn't working fuzzing Intentional illegal input
Milestone

Comments

@linhlhq
Copy link

linhlhq commented Jan 13, 2020

I found a bug in dwg2dxf.
POC: https://github.com/linhlhq/research/blob/master/PoCs/libreDWG_69b5609/id:000000%2Csig:06%2Csrc:000001%2Cop:flip4%2Cpos:27167

==29243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000005b2 at pc 0x7ffafa9dc77a bp 0x7ffcc19b07e0 sp 0x7ffcc19aff88
WRITE of size 126 at 0x6140000005b2 thread T0
    #0 0x7ffafa9dc779  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
    #1 0x561777b62e9c in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x561777b62e9c in read_2004_compressed_section ../../src/decode.c:2379
    #3 0x56177811f8af in read_2004_section_preview ../../src/decode.c:2778
    #4 0x56177811f8af in decode_R2004 ../../src/decode.c:2965
    #5 0x56177812c264 in dwg_decode ../../src/decode.c:245
    #6 0x561777adb7c2 in dwg_read_file ../../src/dwg.c:211
    #7 0x561777ad9550 in main ../../programs/dwg2dxf.c:255
    #8 0x7ffafa1f5b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x561777adaa69 in _start (/home/user/linhlhq/libredwg/asan_build/programs/dwg2dxf+0x363a69)

Address 0x6140000005b2 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
Shadow bytes around the buggy address:
  0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c287fff80b0: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
  0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29243==ABORTING
@rurban
Copy link
Contributor

rurban commented Jan 13, 2020

Ha, and I just released 0.10.1

@rurban rurban self-assigned this Jan 13, 2020
@rurban rurban added the bug Something isn't working label Jan 13, 2020
@rurban rurban added this to the 0.11 milestone Jan 13, 2020
rurban added a commit that referenced this issue Jan 13, 2020
Add a seperate writer index j for the info->size chunks being written.
Fix the uncompressed write overflow check.
Fixes GH #183 (fuzzed)
@rurban
Copy link
Contributor

rurban commented Jan 13, 2020

Fixed in master, with bcec483

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working fuzzing Intentional illegal input
Projects
None yet
Development

No branches or pull requests

2 participants