Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When open the crafted dwg file , it could tigger null point dereference in dwg2svg2
dwg
null point dereference
dwg2svg2
Let's see the gdb output
Program received signal SIGSEGV, Segmentation fault. 0x00000000005fc91c in dwg_obj_block_control_get_block_headers (ctrl=0xa51e30 <g_dwg+3088>, error=<optimized out>) at dwg_api.c:17897 17897 ptx[i] = ctrl->block_headers[i]; LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ─────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────── *RAX 0x7ffff7f6c800 ◂— 0xbebebebebebebebe *RBX 0xa51e30 (g_dwg+3088) —▸ 0x60800000bfa0 ◂— 0x0 *RCX 0x7ffff7f6c800 ◂— 0xbebebebebebebebe RDX 0x0 RDI 0x0 RSI 0x0 R8 0x0 *R9 0xa51e50 (g_dwg+3120) ◂— 0x0 *R10 0x14a3ca *R11 0x7ffff7f8c818 ◂— 0x0 *R12 0x7ffff7f6c800 ◂— 0xbebebebebebebebe *R13 0x4002 *R14 0x7fffffffe280 ◂— 0x41b58ab3 R15 0x0 *RBP 0x7fffffffe210 —▸ 0x7fffffffe300 —▸ 0x7fffffffe330 —▸ 0x7fffffffe3e0 —▸ 0x71ed30 (__libc_csu_init) ◂— ... *RSP 0x7fffffffe1f0 ◂— 0x0 *RIP 0x5fc91c (dwg_obj_block_control_get_block_headers+217) ◂— mov rdx, qword ptr [rdx] ──────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────── ► 0x5fc91c <dwg_obj_block_control_get_block_headers+217> mov rdx, qword ptr [rdx] 0x5fc91f <dwg_obj_block_control_get_block_headers+220> mov rdi, rcx 0x5fc922 <dwg_obj_block_control_get_block_headers+223> mov r8, rcx 0x5fc925 <dwg_obj_block_control_get_block_headers+226> shr r8, 3 0x5fc929 <dwg_obj_block_control_get_block_headers+230> cmp byte ptr [r8 + 0x7fff8000], 0 0x5fc931 <dwg_obj_block_control_get_block_headers+238> je dwg_obj_block_control_get_block_headers+245 <0x5fc938> ↓ 0x5fc938 <dwg_obj_block_control_get_block_headers+245> mov qword ptr [rcx], rdx 0x5fc93b <dwg_obj_block_control_get_block_headers+248> add rcx, 8 0x5fc93f <dwg_obj_block_control_get_block_headers+252> cmp rcx, r11 0x5fc942 <dwg_obj_block_control_get_block_headers+255> jne dwg_obj_block_control_get_block_headers+164 <0x5fc8e7> ↓ 0x5fc8e7 <dwg_obj_block_control_get_block_headers+164> mov rdx, rcx ───────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────── 17892 { 17893 BITCODE_BS i; 17894 *error = 0; 17895 for (i=0; i < ctrl->num_entries; i++) 17896 { ► 17897 ptx[i] = ctrl->block_headers[i]; 17898 } 17899 return ptx; 17900 } 17901 else 17902 { ───────────────────────────────────────────────────────────────────────────────────────────[ pwndbg> p ptx $1 = (dwg_object_ref **) 0x7ffff7f6c800 pwndbg> p ctrl->block_headers $2 = (Dwg_Object_Ref **) 0x0 pwndbg> bt #0 0x00000000005fc91c in dwg_obj_block_control_get_block_headers (ctrl=0xa51e30 <g_dwg+3088>, error=<optimized out>) at dwg_api.c:17897 #1 0x0000000000403d88 in output_SVG (dwg=0xa51220 <g_dwg>) at dwg2svg2.c:358 #2 0x0000000000401af9 in test_SVG (filename=0x7fffffffe73a "segment_poc") at dwg2svg2.c:90 #3 0x0000000000404656 in main (argc=2, argv=0x7fffffffe4c8) at dwg2svg2.c:479 #4 0x00007ffff67b7830 in __libc_start_main (main=0x403fa3 <main>, argc=2, argv=0x7fffffffe4c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4b8) at ../csu/libc-start.c:291 #5 0x0000000000401919 in _start () pwndbg>
As you can see , crash in
ptx[i] = ctrl->block_headers[i];
and null point dereference is 0 , so null point dereference 。
The Vulnerability is that dwg_obj_block_control_get_block_headers in dwg_api.c don't check the ctrl->block_headers .
dwg_obj_block_control_get_block_headers
dwg_api.c
ctrl->block_headers
dwg_object_ref ** dwg_obj_block_control_get_block_headers(const dwg_obj_block_control *restrict ctrl, int *restrict error) { dwg_object_ref **ptx = (dwg_object_ref**) malloc(ctrl->num_entries * sizeof(Dwg_Object_Ref *)); if (ptx) { BITCODE_BS i; *error = 0; for (i=0; i < ctrl->num_entries; i++) { ptx[i] = ctrl->block_headers[i]; } return ptx; } else { *error = 1; LOG_ERROR("%s: null malloc", __FUNCTION__) return NULL; } }
To fix it, please verify the ctrl->block_headers before use it.
The poc file
https://gitee.com/hac425/fuzz_data/blob/master/poc.dwg
The text was updated successfully, but these errors were encountered:
Fuzzing? Oh my. You'll find a lot more such optimistic assumptions. Thanks
Sorry, something went wrong.
protect dwg_obj_block_control_get_block_headers
b03ab41
from empty ctrl->block_headers. Fixes [GH #32]
7bb6307
No branches or pull requests
When open the crafted
dwgfile , it could tiggernull point dereferenceindwg2svg2Let's see the gdb output
As you can see , crash in
and
null point dereferenceis 0 , sonull point dereference。The Vulnerability is that
dwg_obj_block_control_get_block_headersindwg_api.cdon't check thectrl->block_headers.To fix it, please verify the ctrl->block_headers before use it.
The poc file
The text was updated successfully, but these errors were encountered: