Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in function bit_read_RC at bits.c:320 #615

Closed
JieyongMa opened this issue Jan 30, 2023 · 1 comment
Closed

heap-buffer-overflow in function bit_read_RC at bits.c:320 #615

JieyongMa opened this issue Jan 30, 2023 · 1 comment
Assignees
Labels
fuzzing Intentional illegal input

Comments

@JieyongMa
Copy link

Description

heap-buffer-overflow in function bit_read_RC at bits.c:320

Version

git log
commit 3c90dc6641e11e486666940d7f354d2df54503d6 (HEAD -> master, tag: 0.12.5.5010, origin/master, origin/HEAD)
Author: Michal Josef Špaček <michal.josef.spacek@gmail.com>
Date:   Fri Jan 27 18:50:08 2023 +0100

Steps to reproduce

apt install jing libjaxp1.3-java libbatik-java libavalon-framework-java

git clone https://github.com/LibreDWG/libredwg.git

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"

cd libredwg
sh ./autogen.sh
./configure --enable-release --enable-trace --disable-shared
make -j
cd programs
./dwg2dxf -b -m ./poc_hbo01.bin -o /dev/null
Reading DWG file ./poc_hbo01.bin
=================================================================
==3322912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000007f at pc 0x0000004f4ebf bp 0x7fffffffaca0 sp 0x7fffffffac98
READ of size 1 at 0x61700000007f thread T0
    #0 0x4f4ebe in bit_read_RC /home/fuzz/libredwg/src/bits.c:320:10
    #1 0x4f5b15 in bit_read_RS /home/fuzz/libredwg/src/bits.c:380:11
    #2 0x4f6155 in bit_read_RL /home/fuzz/libredwg/src/bits.c:443:11
    #3 0x51d38f in decode_R13_R2000 /home/fuzz/libredwg/src/decode.c:682:9
    #4 0x515806 in dwg_decode /home/fuzz/libredwg/src/decode.c:225:38
    #5 0x4ce9c3 in dwg_read_file /home/fuzz/libredwg/src/dwg.c:255:11
    #6 0x4cb903 in main /home/fuzz/libredwg/programs/dwg2dxf.c:258:15
    #7 0x7ffff7c49082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41d4bd in _start (/home/fuzz/libredwg/programs/dwg2dxf+0x41d4bd)

0x61700000007f is located 1 bytes to the left of 652-byte region [0x617000000080,0x61700000030c)
allocated by thread T0 here:
    #0 0x498892 in calloc (/home/fuzz/libredwg/programs/dwg2dxf+0x498892)
    #1 0x4ccfc7 in dat_read_file /home/fuzz/libredwg/src/dwg.c:91:33
    #2 0x4ce911 in dwg_read_file /home/fuzz/libredwg/src/dwg.c:248:15
    #3 0x4cb903 in main /home/fuzz/libredwg/programs/dwg2dxf.c:258:15
    #4 0x7ffff7c49082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/libredwg/src/bits.c:320:10 in bit_read_RC
Shadow bytes around the buggy address:
  0x0c2e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c2e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3322912==ABORTING

POC

poc_hbo01.bin

Impact

This vulnerability is capable of crashing software, bypass protection mechanism, modify of memory, and successful exploitation may lead to code execution.

@rurban rurban self-assigned this Jan 30, 2023
@rurban rurban added the fuzzing Intentional illegal input label Jan 30, 2023
rurban added a commit that referenced this issue Jan 30, 2023
@rurban rurban closed this as completed Jan 30, 2023
@ajakk
Copy link

ajakk commented Apr 29, 2023

How can an OOB read result in code execution? Please don't copypaste "impact" text that you've found elsewhere into your own reports without demonstrating that it's accurate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fuzzing Intentional illegal input
Projects
None yet
Development

No branches or pull requests

3 participants