Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in copy_compressed_bytes in decode_r2007.c:332 #351

Closed
giantbranch opened this issue Jun 7, 2021 · 1 comment
Closed
Assignees
Labels
bug Something isn't working fuzzing Intentional illegal input
Milestone

Comments

@giantbranch
Copy link

Affected version

the latest commit and 0.12.4

What's the problem?

A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c:332.

ASAN report:

./dwgread ./tests_64205
ERROR: Section[7]->pages[0] overflow
Warning: Failed to find section_info[1]
ERROR: Failed to read header section
Warning: Failed to find section_info[3]
ERROR: Failed to read class section
Warning: Failed to find section_info[7]
ERROR: Failed to read objects section
Warning: Failed to find section_info[2]
Warning: thumbnail.size mismatch: 185216 != 163880
ERROR: Failed to find page 222
=================================================================
==9485==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002e3 at pc 0x000000ca5f2b bp 0x7ffdbc6926d0 sp 0x7ffdbc6926c8
WRITE of size 8 at 0x6020000002e3 thread T0
    #0 0xca5f2a in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53:10
    #1 0xca5f2a in copy_compressed_bytes /root/fuzz/libredwg/src/decode_r2007.c:332:7
    #2 0xca4195 in decompress_r2007 /root/fuzz/libredwg/src/decode_r2007.c:523:7
    #3 0xcaa7fe in read_data_page /root/fuzz/libredwg/src/decode_r2007.c:728:13
    #4 0xcaa319 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:811:19
    #5 0xc9be6b in read_2007_section_revhistory /root/fuzz/libredwg/src/decode_r2007.c:1945:11
    #6 0xc83d65 in read_r2007_meta_data /root/fuzz/libredwg/src/decode_r2007.c:2387:12
    #7 0x4f9fcc in decode_R2007 /root/fuzz/libredwg/src/decode.c:3836:11
    #8 0x4e49ab in dwg_decode /root/fuzz/libredwg/src/decode.c:248:29
    #9 0x4c75cc in dwg_read_file /root/fuzz/libredwg/src/dwg.c:254:11
    #10 0x4c5d47 in main /root/fuzz/libredwg/programs/dwgread.c
    #11 0x7f581684583f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x41ba58 in _start (/root/fuzz/pocs/dwgread+0x41ba58)

0x6020000002e3 is located 3 bytes to the right of 16-byte region [0x6020000002d0,0x6020000002e0)
allocated by thread T0 here:
    #0 0x495a22 in calloc (/root/fuzz/pocs/dwgread+0x495a22)
    #1 0xca9e98 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:774:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/x86_64-linux-gnu/bits/string3.h:53:10 in memcpy
Shadow bytes around the buggy address:
  0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8010: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 06 fa
  0x0c047fff8020: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8030: fa fa 04 fa fa fa 00 06 fa fa 04 fa fa fa 04 fa
  0x0c047fff8040: fa fa 00 00 fa fa 00 00 fa fa 02 fa fa fa 02 fa
=>0x0c047fff8050: fa fa 02 fa fa fa 02 fa fa fa 00 00[fa]fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9485==ABORTING

Compile command

CC="clang" CFLAGS="-O1 -g -fsanitize=address" ./configure --enable-release --disable-shared && make

How can we reproduce the issue?

unzip tests_64205.zip
dwgread ./tests_64205

POC file :
tests_64205.zip

@rurban rurban self-assigned this Jun 7, 2021
@rurban rurban added bug Something isn't working fuzzing Intentional illegal input labels Jun 7, 2021
@rurban rurban added this to the 0.12.5 milestone Jun 7, 2021
@rurban
Copy link
Contributor

rurban commented Jun 7, 2021

Also fixed by the fix in GH #349 for invalid sections.

@rurban rurban closed this as completed Jun 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working fuzzing Intentional illegal input
Projects
None yet
Development

No branches or pull requests

2 participants