Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in copy_bytes in decode_r2007.c:228 #350

Closed
giantbranch opened this issue Jun 7, 2021 · 1 comment
Closed

Heap-buffer-overflow in copy_bytes in decode_r2007.c:228 #350

giantbranch opened this issue Jun 7, 2021 · 1 comment
Assignees
Labels
bug Something isn't working fuzzing Intentional illegal input
Milestone

Comments

@giantbranch
Copy link

Affected version

the latest commit and 0.12.4

What's the problem?

A heap buffer overflow was discovered in copy_bytes in decode_r2007.c:228.

ASAN report:

./dwgread ./tests_64199
=================================================================
==9330==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005f55 at pc 0x000000ca93c3 bp 0x7ffe5a6134c0 sp 0x7ffe5a6134b8
WRITE of size 1 at 0x62a000005f55 thread T0
    #0 0xca93c2 in copy_bytes /root/fuzz/libredwg/src/decode_r2007.c:228:12
    #1 0xca431a in decompress_r2007 /root/fuzz/libredwg/src/decode_r2007.c:550:11
    #2 0xcaa7fe in read_data_page /root/fuzz/libredwg/src/decode_r2007.c:728:13
    #3 0xcaa319 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:811:19
    #4 0xc8bee9 in read_2007_section_handles /root/fuzz/libredwg/src/decode_r2007.c:1622:11
    #5 0xc83c84 in read_r2007_meta_data /root/fuzz/libredwg/src/decode_r2007.c:2378:12
    #6 0x4f9fcc in decode_R2007 /root/fuzz/libredwg/src/decode.c:3836:11
    #7 0x4e49ab in dwg_decode /root/fuzz/libredwg/src/decode.c:248:29
    #8 0x4c75cc in dwg_read_file /root/fuzz/libredwg/src/dwg.c:254:11
    #9 0x4c5d47 in main /root/fuzz/libredwg/programs/dwgread.c
    #10 0x7f7541c7483f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x41ba58 in _start (/root/fuzz/pocs/dwgread+0x41ba58)

0x62a000005f55 is located 0 bytes to the right of 23893-byte region [0x62a000000200,0x62a000005f55)
allocated by thread T0 here:
    #0 0x495a22 in calloc (/root/fuzz/pocs/dwgread+0x495a22)
    #1 0xca9e98 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:774:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/libredwg/src/decode_r2007.c:228:12 in copy_bytes
Shadow bytes around the buggy address:
  0x0c547fff8b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff8be0: 00 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa
  0x0c547fff8bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9330==ABORTING

Compile command

CC="clang" CFLAGS="-O1 -g -fsanitize=address" ./configure --enable-release --disable-shared && make

How can we reproduce the issue?

unzip tests_64199.zip
dwgread ./tests_64199

POC file : tests_64199.zip

@rurban rurban self-assigned this Jun 7, 2021
@rurban rurban added bug Something isn't working fuzzing Intentional illegal input labels Jun 7, 2021
@rurban rurban added this to the 0.12.5 milestone Jun 7, 2021
rurban added a commit that referenced this issue Jun 7, 2021
See GH #350. With fuzzing section->data_size might not fit
section_page->uncomp_size.
@rurban
Copy link
Contributor

rurban commented Jun 7, 2021

Thanks, fixed with 45d2a29 (master)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working fuzzing Intentional illegal input
Projects
None yet
Development

No branches or pull requests

2 participants