New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Several bugs found by fuzzing #188
Comments
|
2.NULL pointer dereference n get_bmp ../../programs/dwgbmp.c:164 |
|
3.heap-buffer-overflow in read_2004_compressed_section ../../src/decode.c:2417 |
|
4.Memory leaks in dwg_decode_eed ../../src/decode.c:3638 |
|
5.heap-buffer-overflow in read_2004_section_appinfo ../../src/decode.c:2842 |
|
6.heap-buffer-overflow in read_2004_compressed_section ../../src/decode.c:2417 |
|
7.NULL pointer dereference in read_2004_compressed_section ../../src/decode.c:2337 |
|
8.heap-buffer-overflow in bit_calc_CRC ../../src/bits.c:2213 |
|
9.heap-buffer-overflow in read_2004_section_handles ../../src/decode.c:2637 |
|
10.heap-buffer-overflow in read_2004_section_classes ../../src/decode.c:2440 |
|
11.heap-buffer-overflow in read_2004_section_preview ../../src/decode.c:3175 |
|
12. heap-buffer-overflow in bit_search_sentinel ../../src/bits.c:1985 |
|
13.memcpy-param-overlap in read_2004_section_header ../../src/decode.c:2580 |
|
14.heap-buffer-overflow in read_2004_section_revhistory ../../src/decode.c:3051 |
|
15. heap-buffer-overflow in bit_read_B ../../src/bits.c:135 |
|
16.heap-buffer-overflow in bit_read_RC ../../src/bits.c:318 |
do the same dwgbmp checks as in decode. "Invalid thumbnail data" on overflow. Fixes Case 2, id 203 of GH #188
skip section on outofbounds sizes: max_decomp_size (block size) > 0x8000 or impossible overall size. in case of errors calc the true sec_dat->size to avoid heap overflows. Fixes id's 0,4,8,9,16,34,36,46,171,203 of GH #188
skip section on outofbounds sizes: max_decomp_size (block size) > 0x8000 or impossible overall size. Also, with mult. blocks the size must exceed the size of the first block. in case of errors calc the true sec_dat->size to avoid heap overflows. Fixes id's 0,4,8,9,16,34,36,46,171,203 of GH #188
for the last block, the size may be smaller. only read this then. Fixes all but 2 id's of GH #188: id's: 6,15,31,91
Fixing id 31 of GH #188. check for NULL sections (Template), and info->size overflow
> 2GB. Fixes crashes7, id 1 Also protect the right side of dat->chain and decomp. Fixes the remaining GH #188 case, id 168.
Hi,
After fuzzing libredwg, I found the following bugs on the latest commit on master.
Command: ./dwgbmp $PoC
1.NULL pointer dereference in read_2004_compressed_section ../../src/decode.c:2417
POC: https://github.com/linhlhq/research/blob/master/PoCs/libreDWG_4c26d37/id:000012%2Csig:06%2Csrc:002489%2Cop:havoc%2Crep:16
The text was updated successfully, but these errors were encountered: