Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Four NULL dereference in out_dxfb.c #324

Closed
zodf0055980 opened this issue Mar 3, 2021 · 1 comment
Closed

Four NULL dereference in out_dxfb.c #324

zodf0055980 opened this issue Mar 3, 2021 · 1 comment
Assignees
Labels
bug Something isn't working fuzzing Intentional illegal input
Milestone

Comments

@zodf0055980
Copy link

zodf0055980 commented Mar 3, 2021

I found four NULL dereference bugs in the current master (5d2c75f).

Configure

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

bug 1 in out_dxfb.c:1902

Command

./dwg2dxf -o ./fuzz_out -b -y ./poc1

ASAN report

➜  ./dwg2dxf -o ./fuzz_out -b -y ./poc1
Reading DWG file ./poc1
Warning: checksum: 0x27c51243 (calculated) mismatch

ERROR: Skip section AcDb:FileDepList with size 8 > 0 * 128
ERROR: obj_string_stream overflow, bitsize 96 => 96
ERROR: Invalid object handle 10.1.1 at pos @4.2
ERROR: bit_read_RC buffer overflow at 12
ERROR: bit_read_RC buffer overflow at 12
ERROR: bit_read_RC buffer overflow at 12
ERROR: bit_read_RC buffer overflow at 12 >= 12
ERROR: bit_read_BL: unexpected 2-bit code: '11'
ERROR: bit_read_RC buffer overflow at 12
ERROR: Invalid CMC method 0x0 ignored
ERROR: bit_advance_position buffer overflow at pos 11.7, size 12, advance by 2
ERROR: bit_read_BD buffer overflow at 12 >= 12
ERROR: Invalid BD identifier_height
Warning: check_CRC mismatch 22-38 = 16: 401C <=> 0B9D

Warning: Unstable Class object 502 TABLESTYLE (0xfff) 42/0
Warning: TODO TABLESTYLE r2010+ missing fields
Warning: Unstable Class object 503 MATERIAL (0x481) 45/0
Warning: Unstable Class object 503 MATERIAL (0x481) 46/0
Warning: Unstable Class object 503 MATERIAL (0x481) 47/0
Warning: Ignore invalid handleoff (@390)
ERROR: bit_read_RC buffer overflow at 174
ERROR: bit_read_RC buffer overflow at 171
ERROR: bit_read_RC buffer overflow at 973
ERROR: bit_read_RC buffer overflow at 284
ERROR: bit_read_RC buffer overflow at 284
ERROR: Some section size or address out of bounds
ERROR: Failed to read uncompressed Preview section
Warning: Skip empty section 0 AcDb:Template
ERROR: Template section not found

ERROR: Invalid num_segidx
Warning: Object handle not found, 2/2 in 150 objects
Warning: Object handle not found, 2/2 in 150 objects
Warning: Object handle not found, 2/2 in 150 objects
Writing DXF file ./fuzz_out as r14
ASAN:DEADLYSIGNAL
=================================================================
==17991==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7ffff4cf2b1b bp 0x7fffffffc9c0 sp 0x7fffffff8450 T0)
==17991==The signal is caused by a READ memory access.
==17991==Hint: address points to the zero page.
    #0 0x7ffff4cf2b1a in dxfb_tables_write /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1902
    #1 0x7ffff4d06d16 in dwg_write_dxfb /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:2312
    #2 0x5555555589a1 in main /home/yuan/afl-target/libredwg-asan/programs/dwg2dxf.c:336
    #3 0x7ffff1e6bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #4 0x555555556a89 in _start (/home/yuan/afl-target/libredwg-asan/programs/.libs/dwg2dxf+0x2a89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1902 in dxfb_tables_write
==17991==ABORTING

bug 2 in out_dxfb.c:1924

Command

./dwg2dxf -o ./fuzz_out -b -y ./poc2

ASAN report

➜  ./dwg2dxf -o ./fuzz_out -b -y ./poc2
Reading DWG file ./poc2
Warning: checksum: 0x27c51243 (calculated) mismatch

ERROR: Skip section AcDb:FileDepList with size 8 > 0 * 128
ERROR: obj_string_stream overflow, bitsize 4294965675 => 88
ERROR: Invalid EED size 8770 > 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_read_RC buffer overflow at 11
ERROR: bit_advance_position buffer overflow at pos 10.7, size 11, advance by 2
ERROR: bit_read_BB buffer overflow at 11 >= 11
ERROR: bit_read_BD buffer overflow at 11 >= 11
ERROR: bit_read_B buffer overflow at 11 >= 11
ERROR: bit_read_BB buffer overflow at 11 >= 11
ERROR: bit_read_BD buffer overflow at 11 >= 11
ERROR: bit_read_RC buffer overflow at 11 >= 11
ERROR: bit_read_RD buffer overflow at 11 >= 11
ERROR: Invalid RD oblique_angle
Warning: check_CRC mismatch 39-54 = 15: C16F <=> 0D90

Warning: Unstable Class object 502 TABLESTYLE (0xfff) 42/0
Warning: TODO TABLESTYLE r2010+ missing fields
Warning: Unstable Class object 503 MATERIAL (0x481) 45/0
Warning: Unstable Class object 503 MATERIAL (0x481) 46/0
Warning: Unstable Class object 503 MATERIAL (0x481) 47/0
Warning: Ignore invalid handleoff (@390)
ERROR: bit_read_RC buffer overflow at 174
ERROR: bit_read_RC buffer overflow at 171
ERROR: bit_read_RC buffer overflow at 973
ERROR: bit_read_RC buffer overflow at 284
ERROR: bit_read_RC buffer overflow at 284
ERROR: Some section size or address out of bounds
ERROR: Failed to read uncompressed Preview section
Warning: Skip empty section 0 AcDb:Template
ERROR: Template section not found

ERROR: Invalid num_segidx
Warning: Object handle not found, 3/3 in 150 objects
Warning: Object handle not found, 3/3 in 150 objects
Warning: Object handle not found, 3/3 in 150 objects
Writing DXF file ./fuzz_out
ERROR: Unhandled VALUE_INT code 0
ASAN:DEADLYSIGNAL
=================================================================
==18068==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7ffff4cf4e7f bp 0x7fffffffc9e0 sp 0x7fffffff8470 T0)
==18068==The signal is caused by a READ memory access.
==18068==Hint: address points to the zero page.
    #0 0x7ffff4cf4e7e in dxfb_tables_write /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1924
    #1 0x7ffff4d06d16 in dwg_write_dxfb /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:2312
    #2 0x5555555589a1 in main /home/yuan/afl-target/libredwg-asan/programs/dwg2dxf.c:336
    #3 0x7ffff1e6bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #4 0x555555556a89 in _start (/home/yuan/afl-target/libredwg-asan/programs/.libs/dwg2dxf+0x2a89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1924 in dxfb_tables_write
==18068==ABORTING

bug 3 in out_dxfb.c:1872

Command

./dwg2dxf -o ./fuzz_out -b -y poc3

ASAN report

➜  ./dwg2dxf -o ./fuzz_out -b -y poc3 
Reading DWG file poc3
Warning: checksum: 0x27c51243 (calculated) mismatch

ERROR: Skip section AcDb:FileDepList with size 8 > 0 * 128
ERROR: Invalid preview size 18496. Need min. 18496 bits for TF, have 76 for RAY.
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_RC buffer overflow at 13
ERROR: bit_read_BD buffer overflow at 13 >= 13
ERROR: bit_read_BB buffer overflow at 13 >= 13
ERROR: bit_read_BD buffer overflow at 13 >= 13
ERROR: bit_read_BB buffer overflow at 13 >= 13
ERROR: bit_read_BD buffer overflow at 13 >= 13
ERROR: Invalid 3BD vector
Warning: check_CRC mismatch 55-71 = 16: 1ECF <=> 9AC1

Warning: Unstable Class object 502 TABLESTYLE (0xfff) 42/0
Warning: TODO TABLESTYLE r2010+ missing fields
Warning: Unstable Class object 503 MATERIAL (0x481) 45/0
Warning: Unstable Class object 503 MATERIAL (0x481) 46/0
Warning: Unstable Class object 503 MATERIAL (0x481) 47/0
Warning: Ignore invalid handleoff (@390)
ERROR: bit_read_RC buffer overflow at 174
ERROR: bit_read_RC buffer overflow at 171
ERROR: bit_read_RC buffer overflow at 973
ERROR: bit_read_RC buffer overflow at 284
ERROR: bit_read_RC buffer overflow at 284
ERROR: Some section size or address out of bounds
ERROR: Failed to read uncompressed Preview section
Warning: Skip empty section 0 AcDb:Template
ERROR: Template section not found

ERROR: Invalid num_segidx
Writing DXF file ./fuzz_out
ASAN:DEADLYSIGNAL
=================================================================
==18124==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7ffff4cf068d bp 0x7fffffffc9e0 sp 0x7fffffff8470 T0)
==18124==The signal is caused by a READ memory access.
==18124==Hint: address points to the zero page.
    #0 0x7ffff4cf068c in dxfb_tables_write /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1872
    #1 0x7ffff4d06d16 in dwg_write_dxfb /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:2312
    #2 0x5555555589a1 in main /home/yuan/afl-target/libredwg-asan/programs/dwg2dxf.c:336
    #3 0x7ffff1e6bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #4 0x555555556a89 in _start (/home/yuan/afl-target/libredwg-asan/programs/.libs/dwg2dxf+0x2a89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1872 in dxfb_tables_write
==18124==ABORTING

bug 4 in out_dxfb.c:1944

Command

./dwg2dxf -o ./fuzz_out -b -y --as r12 poc4

ASAN report

➜  ./dwg2dxf -o ./fuzz_out -b -y --as r12 poc4 
Reading DWG file poc4
Warning: checksum: 0x27c51243 (calculated) mismatch

ERROR: Skip section AcDb:FileDepList with size 8 > 0 * 128
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_RC buffer overflow at 6
ERROR: bit_read_BD buffer overflow at 6 >= 6
ERROR: bit_read_BB buffer overflow at 6 >= 6
ERROR: bit_read_BD buffer overflow at 6 >= 6
ERROR: bit_read_BB buffer overflow at 6 >= 6
ERROR: bit_read_BD buffer overflow at 6 >= 6
ERROR: Invalid 3BD view_target
Warning: check_CRC mismatch 73-82 = 9: 89F5 <=> 46F4

Warning: Unstable Class object 502 TABLESTYLE (0xfff) 42/0
Warning: TODO TABLESTYLE r2010+ missing fields
Warning: Unstable Class object 503 MATERIAL (0x481) 45/0
Warning: Unstable Class object 503 MATERIAL (0x481) 46/0
Warning: Unstable Class object 503 MATERIAL (0x481) 47/0
Warning: Ignore invalid handleoff (@390)
ERROR: bit_read_RC buffer overflow at 174
ERROR: bit_read_RC buffer overflow at 171
ERROR: bit_read_RC buffer overflow at 973
ERROR: bit_read_RC buffer overflow at 284
ERROR: bit_read_RC buffer overflow at 284
ERROR: Some section size or address out of bounds
ERROR: Failed to read uncompressed Preview section
Warning: Skip empty section 0 AcDb:Template
ERROR: Template section not found

ERROR: Invalid num_segidx
Writing DXF file ./fuzz_out as r12
ERROR: Unhandled VALUE_INT code 7
ASAN:DEADLYSIGNAL
=================================================================
==18183==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7ffff4cf71e3 bp 0x7fffffffc9c0 sp 0x7fffffff8450 T0)
==18183==The signal is caused by a READ memory access.
==18183==Hint: address points to the zero page.
    #0 0x7ffff4cf71e2 in dxfb_tables_write /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1944
    #1 0x7ffff4d06d16 in dwg_write_dxfb /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:2312
    #2 0x5555555589a1 in main /home/yuan/afl-target/libredwg-asan/programs/dwg2dxf.c:336
    #3 0x7ffff1e6bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #4 0x555555556a89 in _start (/home/yuan/afl-target/libredwg-asan/programs/.libs/dwg2dxf+0x2a89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/afl-target/libredwg-asan/src/out_dxfb.c:1944 in dxfb_tables_write
==18183==ABORTING

All poc

poc.zip

@rurban rurban self-assigned this Mar 3, 2021
@rurban rurban added bug Something isn't working fuzzing Intentional illegal input labels Mar 3, 2021
@rurban
Copy link
Contributor

rurban commented Mar 3, 2021

--as r14 is not needed

rurban added a commit that referenced this issue Mar 3, 2021
Fixes GH #324, fuzzed by @zodf0055980.
Analog to ascii dxf
@rurban rurban added this to the 0.12.4 milestone Mar 3, 2021
@rurban rurban closed this as completed Mar 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working fuzzing Intentional illegal input
Projects
None yet
Development

No branches or pull requests

2 participants