Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap overflow in bits.c:1424 #261

Closed
seviezhou opened this issue Aug 2, 2020 · 1 comment
Closed

A heap overflow in bits.c:1424 #261

seviezhou opened this issue Aug 2, 2020 · 1 comment
Assignees
Labels
bug Something isn't working fuzzing Intentional illegal input
Milestone

Comments

@seviezhou
Copy link

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dwg2dxf (latest master 39ef943)

Configure

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

Command line

./programs/dwg2dxf -b -m ./SEGV-check_POLYLINE_handles-decode-5110 -o /dev/null

AddressSanitizer output

=================================================================
==65289==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c0000381ff at pc 0x7fc1be68a945 bp 0x7fff3419f990 sp 0x7fff3419f138
READ of size 6 at 0x62c0000381ff thread T0
    #0 0x7fc1be68a944 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c944)
    #1 0x5588916f116f in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x5588916f116f in bit_read_fixed /home/seviezhou/libredwg/src/bits.c:1424
    #3 0x558891715678 in acds_private /home/seviezhou/libredwg/src/acds.spec:111
    #4 0x5588917b3161 in read_2004_section_acds /home/seviezhou/libredwg/src/decode.c:3437
    #5 0x5588917b3161 in decode_R2004 /home/seviezhou/libredwg/src/decode.c:3694
    #6 0x5588917bf646 in dwg_decode /home/seviezhou/libredwg/src/decode.c:242
    #7 0x5588916b89fc in dwg_read_file /home/seviezhou/libredwg/src/dwg.c:251
    #8 0x5588916b5e12 in main /home/seviezhou/libredwg/programs/dwg2dxf.c:258
    #9 0x7fc1bde90b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x5588916b6d69 in _start (/home/seviezhou/libredwg/programs/dwg2dxf+0xa88d69)

0x62c0000381ff is located 1 bytes to the left of 29696-byte region [0x62c000038200,0x62c00003f600)
allocated by thread T0 here:
    #0 0x7fc1be6967aa in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x987aa)
    #1 0x5588917211c4 in read_2004_compressed_section /home/seviezhou/libredwg/src/decode.c:2432
    #2 0x5588922c13aa  (/home/seviezhou/libredwg/programs/dwg2dxf+0x16933aa)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c587fffefe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fffeff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587ffff000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587ffff010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587ffff020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c587ffff030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c587ffff040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587ffff050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587ffff060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587ffff070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587ffff080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==65289==ABORTING

POC

heap-overflow-bit_read_fixed-bits-1424.zip

@rurban rurban self-assigned this Aug 2, 2020
@rurban rurban added bug Something isn't working fuzzing Intentional illegal input labels Aug 2, 2020
@rurban rurban added this to the 0.11 milestone Aug 2, 2020
@rurban
Copy link
Contributor

rurban commented Aug 2, 2020

This was already fixed with the ACDS.num_segidxf check in GH #259
Not repro anymore

@rurban rurban closed this as completed Aug 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working fuzzing Intentional illegal input
Projects
None yet
Development

No branches or pull requests

2 participants