Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out-of-Bound Read in read_data_section in 0.12.5 #850

Closed
spaceraccoon opened this issue Sep 26, 2023 · 1 comment
Closed

Out-of-Bound Read in read_data_section in 0.12.5 #850

spaceraccoon opened this issue Sep 26, 2023 · 1 comment
Assignees
@rurban
Labels
fuzzing Intentional illegal input

Comments

@spaceraccoon
Copy link

spaceraccoon commented Sep 26, 2023
edited
Loading

Hi rurban,

Making a quick report on an out-of-bounds read fuzzing crash. I confirmed this with a build using the --enable-release flag as well.

Release build error:

./programs/dwgread crash.dwg 
ERROR: Invalid num_pages 7274598, skip
ERROR: Invalid section->pages[0] size
Warning: Failed to find section_info[1]
ERROR: Failed to read header section
Warning: Failed to find section_info[3]
ERROR: Failed to read class section
Warning: Failed to find section_info[7]
ERROR: Failed to read objects section
Warning: Failed to find section_info[2]
ERROR: Preview overflow 119 + 0 > 302223
Warning: thumbnail.size mismatch: 302223 != 0
zsh: segmentation fault  ./programs/dwgread ./crash.dwg

Debug trace:

Program received signal SIGSEGV, Segmentation fault.
0x0000555555810645 in read_data_section (sec_dat=0x7fffffffc1f0, dat=0x7fffffffc880, sections_map=<optimized out>, pages_map=0x555555b0fd50, 
    sec_type=<optimized out>) at decode_r2007.c:840
840           r2007_section_page *section_page = section->pages[i];
(gdb) backtrace
#0  0x0000555555810645 in read_data_section (sec_dat=0x7fffffffc1f0, dat=0x7fffffffc880, sections_map=<optimized out>, pages_map=0x555555b0fd50, 
    sec_type=<optimized out>) at decode_r2007.c:840
#1  0x0000555555808d5c in read_2007_section_revhistory (dat=0x7fffffffc880, dwg=0x7fffffffc8c0, sections_map=0x555555b0f410, 
    pages_map=0x555555b0fd50) at decode_r2007.c:2023
#2  read_r2007_meta_data (dat=0x7fffffffc880, hdl_dat=<optimized out>, dwg=0x7fffffffc8c0) at decode_r2007.c:2466
#3  0x00005555555d5279 in decode_R2007 (dat=0x7fffffffc880, dwg=0x7fffffffc8c0) at decode.c:3469
#4  dwg_decode (dat=0x7fffffffc880, dwg=0x7fffffffc8c0) at decode.c:227
#5  0x00005555555be42d in dwg_read_file (filename=<optimized out>, dwg=0x7fffffffc8c0) at dwg.c:261
#6  0x00005555555be42d in main (argc=<optimized out>, argv=0x7fffffffdec8)

crash.dwg.zip

Thanks!
@spaceraccoon spaceraccoon changed the title Out-of-Bound Read at in read_data_section in 0.12.5 Out-of-Bound Read in read_data_section in 0.12.5 Sep 26, 2023
@rurban rurban self-assigned this Oct 3, 2023
@rurban rurban added the fuzzing Intentional illegal input label Oct 3, 2023
rurban added a commit that referenced this issue Oct 5, 2023
@rurban
decode_r2007: fix fuzzing out-of-bounds
c8cf03c 
reset invalid section->num_pages.
Fixes GH #850
@rurban rurban closed this as completed Oct 7, 2023
@spaceraccoon
Copy link
Author

spaceraccoon commented Oct 30, 2023 via email

LeSuisse added a commit to LeSuisse/nixpkgs that referenced this issue Jan 28, 2024
@LeSuisse
libredwg: apply patch for CVE-2023-26157
926673e 
LibreDWG/libredwg#850
@LeSuisse LeSuisse mentioned this issue Jan 28, 2024
Merged
13 tasks
github-actions bot pushed a commit to NixOS/nixpkgs that referenced this issue Jan 28, 2024
@LeSuisse @github-actions
libredwg: apply patch for CVE-2023-26157
da71452 
LibreDWG/libredwg#850
(cherry picked from commit 926673e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rurban rurban

Labels
fuzzing Intentional illegal input
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rurban @spaceraccoon