=================================================================
==15425==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000ec80 at pc 0x561b14ea8544 bp 0x7ffcc39e7810 sp 0x7ffcc39e7800
READ of size 2 at 0x61600000ec80 thread T0
#0 0x561b14ea8543 in bit_wcs2len /home/seviezhou/libredwg/src/bits.c:1634
#1 0x561b145837d0 in dwg_decode_LTYPE_private /home/seviezhou/libredwg/src/dwg.spec:3018
#2 0x561b14f5906b in dwg_decode_LTYPE /home/seviezhou/libredwg/src/dwg.spec:2936
#3 0x561b14f5906b in dwg_decode_add_object /home/seviezhou/libredwg/src/decode.c:5660
#4 0x561b14f60d90 in read_2004_section_handles /home/seviezhou/libredwg/src/decode.c:2835
#5 0x561b14f60d90 in decode_R2004 /home/seviezhou/libredwg/src/decode.c:3671
#6 0x561b14f6f3db in dwg_decode /home/seviezhou/libredwg/src/decode.c:242
#7 0x561b14e6a1fc in dwg_read_file /home/seviezhou/libredwg/src/dwg.c:251
#8 0x561b14e67594 in main /home/seviezhou/libredwg/programs/dwg2dxf.c:258
#9 0x7fdefebffb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#10 0x561b14e68689 in _start (/home/seviezhou/libredwg/programs/dwg2dxf+0xa4b689)
0x61600000ec81 is located 0 bytes to the right of 513-byte region [0x61600000ea80,0x61600000ec81)
allocated by thread T0 here:
#0 0x7fdeff4057aa in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x987aa)
#1 0x561b14ea4348 in bit_read_TF /home/seviezhou/libredwg/src/bits.c:1444
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/libredwg/src/bits.c:1634 bit_wcs2len
Shadow bytes around the buggy address:
0x0c2c7fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff9d90:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15425==ABORTING
4b99edb as fix for GH #255 was wrong by *2, the offset is wide.
Also apply the same boundschecks to the ASCII case pre-r2007,
via strnlen.
Fixes fuzzing GH #258 by @seviezhou
System info
Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dwg2dxf (latest master aee0ea)
Configure
CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure
Command line
./programs/dwg2dxf -b -m ./heap-buffer-overflow-bit_wcs2len-bits-1634 -o /dev/null
AddressSanitizer output
POC
heap-buffer-overflow-bit_wcs2len-bits-1634.zip
The text was updated successfully, but these errors were encountered: