Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuzzing results LibreDWG #99

Closed
YourButterfly opened this issue Mar 12, 2019 · 7 comments
Closed

fuzzing results LibreDWG #99

YourButterfly opened this issue Mar 12, 2019 · 7 comments
Assignees
Labels
bug Something isn't working

Comments

@YourButterfly
Copy link

libredwg

version

libredwg 0.7 and 0.7.1645

description

libredwg

download link

https://github.com/LibreDWG/libredwg/releases

dwg_dxf_LEADER@dwg.spec:2034-3___null-pointer-dereference

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an null-pointer-dereference in function dwg_dxf_LEADER at dwg.spec:2034-3

commandline

dwg2dxf @@ -o /dev/null

source

None

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32285==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4d91d2b51e bp 0x0c22000045e3 sp 0x7ffd87ed4b60 T0)
==32285==The signal is caused by a READ memory access.
==32285==Hint: address points to the zero page.
    #0 0x7f4d91d2b51d in dwg_dxf_LEADER /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3
    #1 0x7f4d91d2b51d in dwg_dxf_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:934
    #2 0x7f4d91ca1ba7 in dxf_entities_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1528:18
    #3 0x7f4d91ca1ba7 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1596
    #4 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #5 0x7f4d905aab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3 in dwg_dxf_LEADER
==32285==ABORTING

others

from fuzz project None
crash name None-00000007-1552381583.dwg
Auto-generated by pyspider at 2019-03-12 18:15:41

bit_read_B@___out-of-bounds-read

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an out-of-bounds-read in function bit_read_B at 

commandline

dwg2dxf @@ -o /dev/null

source

None

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32294==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6692681af1 (pc 0x7f6675cd7f01 bp 0x0c0800001814 sp 0x7ffc0f5f3ef0 T0)
==32294==The signal is caused by a READ memory access.
    #0 0x7f6675cd7f00 in bit_read_B /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c
    #1 0x7f6675f33256 in obj_string_stream /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode_r2007.c:1126:22
    #2 0x7f6675ea3b0f in dwg_decode_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2738:18
    #3 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ_private /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1
    #4 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530
    #5 0x7f6675d81cc6 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809
    #6 0x7f6675d113d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #7 0x7f6675d113d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #8 0x7f6675cf4049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #9 0x7f6675ccf4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #10 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #11 0x7f6674bacb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c in bit_read_B
==32294==ABORTING

others

from fuzz project None
crash name None-00000006-1552381538.dwg
Auto-generated by pyspider at 2019-03-12 18:15:42

dwg_decode_eed_data@decode.c:2353-32___heap-buffer-overflow

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an heap-buffer-overflow in function dwg_decode_eed_data at decode.c:2353-32

commandline

dwg2dxf @@ -o /dev/null

source

In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
   2348           data->u.eed_4.data[j] = bit_read_RC(dat);
   2349         LOG_TRACE("raw: %s\n", data->u.eed_4.data);
   2350         break;
   2351       case 10: case 11: case 12: case 13: /*case 14: case 15:*/
   2352         data->u.eed_10.point.x = bit_read_RD(dat);
 ► 2353         data->u.eed_10.point.y = bit_read_RD(dat);
   2354         data->u.eed_10.point.z = bit_read_RD(dat);
   2355         LOG_TRACE("3dpoint: %f, %f, %f\n",
   2356                   data->u.eed_10.point.x,
   2357                   data->u.eed_10.point.y,
   2358                   data->u.eed_10.point.z);

bug report

=================================================================
==32310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006740 at pc 0x7efd7e7806c5 bp 0x7ffe71660c30 sp 0x7ffe71660c28
WRITE of size 8 at 0x602000006740 thread T0
    #0 0x7efd7e7806c4 in dwg_decode_eed_data /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32
    #1 0x7efd7e7806c4 in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473
    #2 0x7efd7e7757ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
    #3 0x7efd7e64f874 in dwg_decode_LEADER_private /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1
    #4 0x7efd7e64f874 in dwg_decode_LEADER /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026
    #5 0x7efd7e64f874 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630
    #6 0x7efd7e5fe3d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #7 0x7efd7e5fe3d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #8 0x7efd7e5e1049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #9 0x7efd7e5bc4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #10 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #11 0x7efd7d499b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x602000006740 is located 5 bytes to the right of 11-byte region [0x602000006730,0x60200000673b)
allocated by thread T0 here:
    #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7efd7e77ea9f in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47
    #2 0x7efd7e7757ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32 in dwg_decode_eed_data
Shadow bytes around the buggy address:
  0x0c047fff8c90: fa fa 00 00 fa fa 04 fa fa fa 00 03 fa fa 04 fa
  0x0c047fff8ca0: fa fa 00 03 fa fa 00 06 fa fa 00 00 fa fa 00 00
  0x0c047fff8cb0: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 03
  0x0c047fff8cc0: fa fa 04 fa fa fa 00 03 fa fa 00 06 fa fa 00 03
  0x0c047fff8cd0: fa fa 00 06 fa fa 00 03 fa fa 00 06 fa fa 00 03
=>0x0c047fff8ce0: fa fa 00 06 fa fa 00 03[fa]fa fa fa fa fa fa fa
  0x0c047fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32310==ABORTING

others

from fuzz project None
crash name None-00000003-1552381586.dwg
Auto-generated by pyspider at 2019-03-12 18:15:43

dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an heap-buffer-overflow in function dwg_dxf_LTYPE at dwg.spec:2523-11

commandline

dwg2dxf @@ -o /dev/null

source

None

bug report

=================================================================
==32330==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000015008 at pc 0x7eff104ff2d8 bp 0x7ffd1eb7a490 sp 0x7ffd1eb7a488
READ of size 1 at 0x608000015008 thread T0
    #0 0x7eff104ff2d7 in dwg_dxf_LTYPE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11
    #1 0x7eff104de5c1 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11
    #2 0x7eff104b01d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7eff0edb9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x608000015008 is located 8 bytes to the right of 96-byte region [0x608000014fa0,0x608000015000)
allocated by thread T0 here:
    #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7eff0ff7c742 in dwg_add_LINE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877:1
    #2 0x7eff0ff7c742 in dwg_decode_LINE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877
    #3 0x7eff0ff7c742 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3555
    #4 0x7eff0ff1e3d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #5 0x7eff0ff1e3d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #6 0x7eff0ff01049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #7 0x7eff0fedc4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #8 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #9 0x7eff0edb9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11 in dwg_dxf_LTYPE
Shadow bytes around the buggy address:
  0x0c107fffa9b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fffaa00: fa[fa]fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa10: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa30: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa40: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32330==ABORTING

others

from fuzz project None
crash name None-00000013-1552381572.dwg
Auto-generated by pyspider at 2019-03-12 18:15:44

dxf_header_write@header_variables_dxf.spec:73-3___heap-buffer-overflow

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an heap-buffer-overflow in function dxf_header_write at header_variables_dxf.spec:73-3

commandline

dwg2dxf @@ -o /dev/null

source

None

bug report

=================================================================
==32334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005ae0 at pc 0x7f47f17c85b0 bp 0x7ffdfb1fa790 sp 0x7ffdfb1fa788
READ of size 8 at 0x602000005ae0 thread T0
    #0 0x7f47f17c85af in dxf_header_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3
    #1 0x7f47f179d2c9 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1579:3
    #2 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #3 0x7f47f00a7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #4 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x602000005ae0 is located 8 bytes to the right of 8-byte region [0x602000005ad0,0x602000005ad8)
allocated by thread T0 here:
    #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7f47f127cb11 in dwg_add_UNKNOWN_OBJ /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1
    #2 0x7f47f127cb11 in dwg_decode_UNKNOWN_OBJ /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530
    #3 0x7f47f127cb11 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809
    #4 0x7f47f120c3d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #5 0x7f47f120c3d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #6 0x7f47f11ef049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #7 0x7f47f11ca4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #8 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #9 0x7f47f00a7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3 in dxf_header_write
Shadow bytes around the buggy address:
  0x0c047fff8b00: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b10: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b30: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b40: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8b50: fa fa 00 fa fa fa 00 fa fa fa 00 fa[fa]fa 00 fa
  0x0c047fff8b60: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b70: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b80: fa fa 00 fa fa fa 00 06 fa fa 00 06 fa fa 00 06
  0x0c047fff8b90: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 06
  0x0c047fff8ba0: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32334==ABORTING

others

from fuzz project None
crash name None-00000008-1552381574.dwg
Auto-generated by pyspider at 2019-03-12 18:15:45

dwg_dxf_LTYPE@___null-pointer-dereference

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an null-pointer-dereference in function dwg_dxf_LTYPE at 

commandline

dwg2dxf @@ -o /dev/null

source

In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.spec
   2482     FIELD_RC (alignment, 72);
   2483   }
   2484   FIELD_RC (num_dashes, 73);
   2485   REPEAT_C(num_dashes, dash, Dwg_LTYPE_dash)
   2486     {
 ► 2487       PRE(R_13)
   2488       {
   2489         FIELD_RD (dash[rcount1].length, 49);
   2490 #ifndef IS_PRINT
   2491         FIELD_VALUE(pattern_len) += FIELD_VALUE(dash[rcount1].length);
   2492 #endif

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32338==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb4e3e7f99c bp 0x7ffe9fb40000 sp 0x7ffe9fb3ec00 T0)
==32338==The signal is caused by a READ memory access.
==32338==Hint: address points to the zero page.
    #0 0x7fb4e3e7f99b in dwg_dxf_LTYPE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec
    #1 0x7fb4e3e61658 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1275:20
    #2 0x7fb4e3e331d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7fb4e273cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec in dwg_dxf_LTYPE
==32338==ABORTING

others

from fuzz project None
crash name None-00000012-1552381601.dwg
Auto-generated by pyspider at 2019-03-12 18:15:45

dwg_dxf_LTYPE@dwg.spec:2471-3___null-pointer-dereference

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an null-pointer-dereference in function dwg_dxf_LTYPE at dwg.spec:2471-3

commandline

dwg2dxf @@ -o /dev/null

source

None

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32342==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7dab4ac4f0 bp 0x3ff0000000000018 sp 0x7fff577b50a0 T0)
==32342==The signal is caused by a READ memory access.
==32342==Hint: address points to the zero page.
    #0 0x7f7dab4ac4ef in dwg_dxf_LTYPE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3
    #1 0x7f7dab48f5c1 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11
    #2 0x7f7dab4611d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7f7da9d6ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3 in dwg_dxf_LTYPE
==32342==ABORTING

others

from fuzz project None
crash name None-00000010-1552381589.dwg
Auto-generated by pyspider at 2019-03-12 18:15:45

bit_convert_TU@bits.c:1323-3___null-pointer-dereference

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an null-pointer-dereference in function bit_convert_TU at bits.c:1323-3

commandline

dwg2dxf @@ -o /dev/null

source

None

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32351==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7feaa5e0727e bp 0x000000000001 sp 0x7fffe83aecc0 T0)
==32351==The signal is caused by a READ memory access.
==32351==Hint: address points to the zero page.
    #0 0x7feaa5e0727d in bit_convert_TU /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3
    #1 0x7feaa63f0ed0 in dwg_dxf_STYLE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2425:13
    #2 0x7feaa63f0ed0 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1319
    #3 0x7feaa63bc1d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #4 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #5 0x7feaa4cc5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3 in bit_convert_TU
==32351==ABORTING

others

from fuzz project None
crash name None-00000001-1552381543.dwg
Auto-generated by pyspider at 2019-03-12 18:15:46

dwg_decode_eed_data@decode.c:2354-32___heap-buffer-overflow

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an heap-buffer-overflow in function dwg_decode_eed_data at decode.c:2354-32

commandline

dwg2dxf @@ -o /dev/null

source

In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
   2349         LOG_TRACE("raw: %s\n", data->u.eed_4.data);
   2350         break;
   2351       case 10: case 11: case 12: case 13: /*case 14: case 15:*/
   2352         data->u.eed_10.point.x = bit_read_RD(dat);
   2353         data->u.eed_10.point.y = bit_read_RD(dat);
 ► 2354         data->u.eed_10.point.z = bit_read_RD(dat);
   2355         LOG_TRACE("3dpoint: %f, %f, %f\n",
   2356                   data->u.eed_10.point.x,
   2357                   data->u.eed_10.point.y,
   2358                   data->u.eed_10.point.z);
   2359         break;

bug report

=================================================================
==32355==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300007ff11 at pc 0x7feedd1396cf bp 0x7ffeed7b1e10 sp 0x7ffeed7b1e08
WRITE of size 8 at 0x60300007ff11 thread T0
    #0 0x7feedd1396ce in dwg_decode_eed_data /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32
    #1 0x7feedd1396ce in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473
    #2 0x7feedd12e7ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
    #3 0x7feedd008874 in dwg_decode_LEADER_private /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1
    #4 0x7feedd008874 in dwg_decode_LEADER /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026
    #5 0x7feedd008874 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630
    #6 0x7feedcfb73d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #7 0x7feedcfb73d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #8 0x7feedcf9a049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #9 0x7feedcf754b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #10 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #11 0x7feedbe52b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x60300007ff11 is located 0 bytes to the right of 17-byte region [0x60300007ff00,0x60300007ff11)
allocated by thread T0 here:
    #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7feedd137a9f in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47
    #2 0x7feedd12e7ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32 in dwg_decode_eed_data
Shadow bytes around the buggy address:
  0x0c0680007f90: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c0680007fa0: 00 05 fa fa 00 00 00 02 fa fa 00 00 01 fa fa fa
  0x0c0680007fb0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
  0x0c0680007fc0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680007fd0: fd fd fa fa 00 00 00 05 fa fa 00 00 00 02 fa fa
=>0x0c0680007fe0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680007ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680008000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0680008010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0680008020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0680008030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32355==ABORTING

others

from fuzz project None
crash name None-00000004-1552381550.dwg
Auto-generated by pyspider at 2019-03-12 18:15:46

dwg_dxf_BLOCK_CONTROL@dwg.spec:2154-1___out-of-bounds-read

description

An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an out-of-bounds-read in function dwg_dxf_BLOCK_CONTROL at dwg.spec:2154-1

commandline

dwg2dxf @@ -o /dev/null

source

None

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32364==ERROR: AddressSanitizer: SEGV on unknown address 0x00207fff8003 (pc 0x7f4948e0cf48 bp 0x7fffdb01b150 sp 0x7fffdb01aee0 T0)
==32364==The signal is caused by a READ memory access.
    #0 0x7f4948e0cf47 in dwg_dxf_BLOCK_CONTROL /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1
    #1 0x7f4948e0cf47 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1421
    #2 0x7f4948dce1d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7f49476d7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1 in dwg_dxf_BLOCK_CONTROL
==32364==ABORTING

others

from fuzz project None
crash name None-00000005-1552381649.dwg
Auto-generated by pyspider at 2019-03-12 18:15:47

dwg2dxf.tar.gz

And a same report send to savannah.gnu.org/bugs

@rurban rurban self-assigned this Mar 12, 2019
@rurban rurban added the bug Something isn't working label Mar 12, 2019
@rurban
Copy link
Contributor

rurban commented Mar 12, 2019

Fuzzing, nice!

rurban added a commit that referenced this issue Apr 20, 2019
dwg_dxf_LEADER@dwg.spec:2034-3___null-pointer-dereference
This is at FIELD_3DPOINT_VECTOR in LEADER.
There are illegal size fields (num_points) in LEADER on decode, which are not yet set to 0.
Add a _LV macro variant for size lvalue, which can be set to 0.

Also found an entity with entmode 3 but empty ownerhandle. Write an empty ownerhandle then.
@rurban
Copy link
Contributor

rurban commented Apr 20, 2019

dwg_dxf_LEADER@dwg.spec:2034-3___null-pointer-dereference:

Could repro it with 0.7.1645 and master.
This is at FIELD_3DPOINT_VECTOR in LEADER.
There are illegal size fields (num_points) in LEADER on decode, which are not yet set to 0.

num_points: 538181910 [BL 76]
ERROR: Invalid points size 538181910. Need min. 3229091460 bits for 3BD, have 1211 for LEADER
num_points: 96 [BL 76]
ERROR: Invalid points size 96. Need min. 576 bits for 3BD, have -1001 for LEADER

Fixed with c948548

@rurban
Copy link
Contributor

rurban commented Apr 20, 2019

bit_read_B@___out-of-bounds-read

This is really a missing ENDBLK entity (missing in HANDLEs), which caused get_last_owned_block to fail. dwg_validate_INSERT needs to ensure that a valid ENDBLK is added.
so far added an empty dummy ENDBLK for DXF only.

Fixed with 0c6a267 and then much better with 9e662ca

rurban added a commit that referenced this issue Apr 20, 2019
This from the #99 bit_read_B@___out-of-bounds-read fuzzer case
@rurban rurban closed this as completed in c948548 Apr 21, 2019
rurban added a commit that referenced this issue Apr 21, 2019
This from the #99 bit_read_B@___out-of-bounds-read fuzzer case.

TODO: The real fix should be put into dwg_validate_INSERT
so that get_last_owned_block can never fail, and always return
a valid ENDBLK even if it couldn't be found at decode.
@rurban rurban reopened this Apr 21, 2019
rurban added a commit that referenced this issue Apr 21, 2019
This from the #99 bit_read_B@___out-of-bounds-read fuzzer case.

TODO: The real fix should be put into dwg_validate_INSERT
so that get_last_owned_block can never fail, and always return
a valid ENDBLK even if it couldn't be found at decode.
@rurban rurban changed the title serveral bugs in LibreDWG fuzzing results LibreDWG Apr 22, 2019
rurban added a commit that referenced this issue Apr 22, 2019
and add if missing.
This fixes the problem of the previous commit much better, it is not
only a DXF-specific hack anymore.
Closes part 2 of #99, the bit_read_B@___out-of-bounds-read testcase.
Unlike as with the previous fix, the generated/found ENDBLK entity has
now the correct groups 5 and 330, and the missing object_ref handle is
fixed up.
@rurban
Copy link
Contributor

rurban commented Apr 22, 2019

dwg_decode_eed_data@decode.c:2353-32___heap-buffer-overflow

This is a logical realloc mismatch in eed idx vs num_eed. leading to internal malloc corruption.
Handled in #104

rurban added a commit that referenced this issue Apr 23, 2019
fuzzing created an invalid DWG without initial BLOCK_CONTROL
object. Check this and error. Fixes case dwg_dxf_BLOCK_CONTROL@dwg.spec:2154-1___out-of-bounds-read of #99
@rurban
Copy link
Contributor

rurban commented Apr 23, 2019

dwg_dxf_BLOCK_CONTROL@dwg.spec:2154-1___out-of-bounds-read

added dwg_block_control error handling.
fuzzing created an invalid DWG without initial BLOCK_CONTROL object. Check this and error.
Fixed with d8af38d

rurban added a commit that referenced this issue Apr 23, 2019
check LTYPE header reference for the correct type.
Fixes case dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow at #99
rurban added a commit that referenced this issue Apr 23, 2019
which is a more general fix for wrong object, as in
#99 case dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow
@rurban
Copy link
Contributor

rurban commented Apr 23, 2019

bit_convert_TU@bits.c:1323-3___null-pointer-dereference

Check NULL ptr at bit_convert_TU, and bypass STYLE.font_name dxf logic for NULL name.
Fixed with c6f58bc

rurban added a commit that referenced this issue Apr 23, 2019
which is a more general fix for wrong object, as in
#99 case dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow
rurban added a commit that referenced this issue Apr 23, 2019
May be a NULL ptr.
Fixes case bit_convert_TU@bits.c:1323-3___null-pointer-dereference
of #99.
@rurban
Copy link
Contributor

rurban commented Apr 24, 2019

All fuzzing vulns fixes now in master, also tested with asan. Thanks a lot.

@rurban rurban closed this as completed Apr 24, 2019
rurban added a commit that referenced this issue Apr 24, 2019
fixes asan errors with #99 cases
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants