New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fuzzing results LibreDWG #99
Comments
|
Fuzzing, nice! |
dwg_dxf_LEADER@dwg.spec:2034-3___null-pointer-dereference This is at FIELD_3DPOINT_VECTOR in LEADER. There are illegal size fields (num_points) in LEADER on decode, which are not yet set to 0. Add a _LV macro variant for size lvalue, which can be set to 0. Also found an entity with entmode 3 but empty ownerhandle. Write an empty ownerhandle then.
dwg_dxf_LEADER@dwg.spec:2034-3___null-pointer-dereference:Could repro it with 0.7.1645 and master. Fixed with c948548 |
bit_read_B@___out-of-bounds-readThis is really a missing ENDBLK entity (missing in HANDLEs), which caused get_last_owned_block to fail. dwg_validate_INSERT needs to ensure that a valid ENDBLK is added. |
This from the #99 bit_read_B@___out-of-bounds-read fuzzer case
This from the #99 bit_read_B@___out-of-bounds-read fuzzer case. TODO: The real fix should be put into dwg_validate_INSERT so that get_last_owned_block can never fail, and always return a valid ENDBLK even if it couldn't be found at decode.
This from the #99 bit_read_B@___out-of-bounds-read fuzzer case. TODO: The real fix should be put into dwg_validate_INSERT so that get_last_owned_block can never fail, and always return a valid ENDBLK even if it couldn't be found at decode.
and add if missing. This fixes the problem of the previous commit much better, it is not only a DXF-specific hack anymore. Closes part 2 of #99, the bit_read_B@___out-of-bounds-read testcase. Unlike as with the previous fix, the generated/found ENDBLK entity has now the correct groups 5 and 330, and the missing object_ref handle is fixed up.
dwg_decode_eed_data@decode.c:2353-32___heap-buffer-overflowThis is a logical realloc mismatch in eed idx vs num_eed. leading to internal malloc corruption. |
fuzzing created an invalid DWG without initial BLOCK_CONTROL object. Check this and error. Fixes case dwg_dxf_BLOCK_CONTROL@dwg.spec:2154-1___out-of-bounds-read of #99
dwg_dxf_BLOCK_CONTROL@dwg.spec:2154-1___out-of-bounds-readadded dwg_block_control error handling. |
check LTYPE header reference for the correct type. Fixes case dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow at #99
which is a more general fix for wrong object, as in #99 case dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow
bit_convert_TU@bits.c:1323-3___null-pointer-dereferenceCheck NULL ptr at bit_convert_TU, and bypass STYLE.font_name dxf logic for NULL name. |
which is a more general fix for wrong object, as in #99 case dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow
May be a NULL ptr. Fixes case bit_convert_TU@bits.c:1323-3___null-pointer-dereference of #99.
|
All fuzzing vulns fixes now in master, also tested with asan. Thanks a lot. |
libredwg
version
description
download link
dwg_dxf_LEADER@dwg.spec:2034-3___null-pointer-dereference
description
commandline
source
bug report
AddressSanitizer:DEADLYSIGNAL ================================================================= ==32285==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4d91d2b51e bp 0x0c22000045e3 sp 0x7ffd87ed4b60 T0) ==32285==The signal is caused by a READ memory access. ==32285==Hint: address points to the zero page. #0 0x7f4d91d2b51d in dwg_dxf_LEADER /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3 #1 0x7f4d91d2b51d in dwg_dxf_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:934 #2 0x7f4d91ca1ba7 in dxf_entities_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1528:18 #3 0x7f4d91ca1ba7 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1596 #4 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56 #5 0x7f4d905aab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3 in dwg_dxf_LEADER ==32285==ABORTINGothers
bit_read_B@___out-of-bounds-read
description
commandline
source
bug report
AddressSanitizer:DEADLYSIGNAL ================================================================= ==32294==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6692681af1 (pc 0x7f6675cd7f01 bp 0x0c0800001814 sp 0x7ffc0f5f3ef0 T0) ==32294==The signal is caused by a READ memory access. #0 0x7f6675cd7f00 in bit_read_B /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c #1 0x7f6675f33256 in obj_string_stream /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode_r2007.c:1126:22 #2 0x7f6675ea3b0f in dwg_decode_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2738:18 #3 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ_private /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1 #4 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530 #5 0x7f6675d81cc6 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809 #6 0x7f6675d113d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19 #7 0x7f6675d113d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230 #8 0x7f6675cf4049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c #9 0x7f6675ccf4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11 #10 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15 #11 0x7f6674bacb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c in bit_read_B ==32294==ABORTINGothers
dwg_decode_eed_data@decode.c:2353-32___heap-buffer-overflow
description
commandline
source
bug report
================================================================= ==32310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006740 at pc 0x7efd7e7806c5 bp 0x7ffe71660c30 sp 0x7ffe71660c28 WRITE of size 8 at 0x602000006740 thread T0 #0 0x7efd7e7806c4 in dwg_decode_eed_data /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32 #1 0x7efd7e7806c4 in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473 #2 0x7efd7e7757ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12 #3 0x7efd7e64f874 in dwg_decode_LEADER_private /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1 #4 0x7efd7e64f874 in dwg_decode_LEADER /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026 #5 0x7efd7e64f874 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630 #6 0x7efd7e5fe3d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19 #7 0x7efd7e5fe3d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230 #8 0x7efd7e5e1049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c #9 0x7efd7e5bc4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11 #10 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15 #11 0x7efd7d499b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) 0x602000006740 is located 5 bytes to the right of 11-byte region [0x602000006730,0x60200000673b) allocated by thread T0 here: #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97 #1 0x7efd7e77ea9f in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47 #2 0x7efd7e7757ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32 in dwg_decode_eed_data Shadow bytes around the buggy address: 0x0c047fff8c90: fa fa 00 00 fa fa 04 fa fa fa 00 03 fa fa 04 fa 0x0c047fff8ca0: fa fa 00 03 fa fa 00 06 fa fa 00 00 fa fa 00 00 0x0c047fff8cb0: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 03 0x0c047fff8cc0: fa fa 04 fa fa fa 00 03 fa fa 00 06 fa fa 00 03 0x0c047fff8cd0: fa fa 00 06 fa fa 00 03 fa fa 00 06 fa fa 00 03 =>0x0c047fff8ce0: fa fa 00 06 fa fa 00 03[fa]fa fa fa fa fa fa fa 0x0c047fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==32310==ABORTINGothers
dwg_dxf_LTYPE@dwg.spec:2523-11___heap-buffer-overflow
description
commandline
source
bug report
================================================================= ==32330==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000015008 at pc 0x7eff104ff2d8 bp 0x7ffd1eb7a490 sp 0x7ffd1eb7a488 READ of size 1 at 0x608000015008 thread T0 #0 0x7eff104ff2d7 in dwg_dxf_LTYPE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11 #1 0x7eff104de5c1 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11 #2 0x7eff104b01d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9 #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56 #4 0x7eff0edb9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) 0x608000015008 is located 8 bytes to the right of 96-byte region [0x608000014fa0,0x608000015000) allocated by thread T0 here: #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97 #1 0x7eff0ff7c742 in dwg_add_LINE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877:1 #2 0x7eff0ff7c742 in dwg_decode_LINE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877 #3 0x7eff0ff7c742 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3555 #4 0x7eff0ff1e3d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19 #5 0x7eff0ff1e3d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230 #6 0x7eff0ff01049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c #7 0x7eff0fedc4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11 #8 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15 #9 0x7eff0edb9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11 in dwg_dxf_LTYPE Shadow bytes around the buggy address: 0x0c107fffa9b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffa9c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffa9d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffa9e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffa9f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c107fffaa00: fa[fa]fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffaa10: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffaa20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffaa30: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffaa40: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fffaa50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==32330==ABORTINGothers
dxf_header_write@header_variables_dxf.spec:73-3___heap-buffer-overflow
description
commandline
source
bug report
================================================================= ==32334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005ae0 at pc 0x7f47f17c85b0 bp 0x7ffdfb1fa790 sp 0x7ffdfb1fa788 READ of size 8 at 0x602000005ae0 thread T0 #0 0x7f47f17c85af in dxf_header_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3 #1 0x7f47f179d2c9 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1579:3 #2 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56 #3 0x7f47f00a7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #4 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) 0x602000005ae0 is located 8 bytes to the right of 8-byte region [0x602000005ad0,0x602000005ad8) allocated by thread T0 here: #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97 #1 0x7f47f127cb11 in dwg_add_UNKNOWN_OBJ /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1 #2 0x7f47f127cb11 in dwg_decode_UNKNOWN_OBJ /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530 #3 0x7f47f127cb11 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809 #4 0x7f47f120c3d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19 #5 0x7f47f120c3d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230 #6 0x7f47f11ef049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c #7 0x7f47f11ca4b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11 #8 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15 #9 0x7f47f00a7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3 in dxf_header_write Shadow bytes around the buggy address: 0x0c047fff8b00: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x0c047fff8b10: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x0c047fff8b20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x0c047fff8b30: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x0c047fff8b40: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa =>0x0c047fff8b50: fa fa 00 fa fa fa 00 fa fa fa 00 fa[fa]fa 00 fa 0x0c047fff8b60: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x0c047fff8b70: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x0c047fff8b80: fa fa 00 fa fa fa 00 06 fa fa 00 06 fa fa 00 06 0x0c047fff8b90: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 06 0x0c047fff8ba0: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==32334==ABORTINGothers
dwg_dxf_LTYPE@___null-pointer-dereference
description
commandline
source
bug report
AddressSanitizer:DEADLYSIGNAL ================================================================= ==32338==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb4e3e7f99c bp 0x7ffe9fb40000 sp 0x7ffe9fb3ec00 T0) ==32338==The signal is caused by a READ memory access. ==32338==Hint: address points to the zero page. #0 0x7fb4e3e7f99b in dwg_dxf_LTYPE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec #1 0x7fb4e3e61658 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1275:20 #2 0x7fb4e3e331d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9 #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56 #4 0x7fb4e273cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec in dwg_dxf_LTYPE ==32338==ABORTINGothers
dwg_dxf_LTYPE@dwg.spec:2471-3___null-pointer-dereference
description
commandline
source
bug report
AddressSanitizer:DEADLYSIGNAL ================================================================= ==32342==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7dab4ac4f0 bp 0x3ff0000000000018 sp 0x7fff577b50a0 T0) ==32342==The signal is caused by a READ memory access. ==32342==Hint: address points to the zero page. #0 0x7f7dab4ac4ef in dwg_dxf_LTYPE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3 #1 0x7f7dab48f5c1 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11 #2 0x7f7dab4611d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9 #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56 #4 0x7f7da9d6ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3 in dwg_dxf_LTYPE ==32342==ABORTINGothers
bit_convert_TU@bits.c:1323-3___null-pointer-dereference
description
commandline
source
bug report
AddressSanitizer:DEADLYSIGNAL ================================================================= ==32351==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7feaa5e0727e bp 0x000000000001 sp 0x7fffe83aecc0 T0) ==32351==The signal is caused by a READ memory access. ==32351==Hint: address points to the zero page. #0 0x7feaa5e0727d in bit_convert_TU /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3 #1 0x7feaa63f0ed0 in dwg_dxf_STYLE /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2425:13 #2 0x7feaa63f0ed0 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1319 #3 0x7feaa63bc1d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9 #4 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56 #5 0x7feaa4cc5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3 in bit_convert_TU ==32351==ABORTINGothers
dwg_decode_eed_data@decode.c:2354-32___heap-buffer-overflow
description
commandline
source
bug report
================================================================= ==32355==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300007ff11 at pc 0x7feedd1396cf bp 0x7ffeed7b1e10 sp 0x7ffeed7b1e08 WRITE of size 8 at 0x60300007ff11 thread T0 #0 0x7feedd1396ce in dwg_decode_eed_data /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32 #1 0x7feedd1396ce in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473 #2 0x7feedd12e7ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12 #3 0x7feedd008874 in dwg_decode_LEADER_private /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1 #4 0x7feedd008874 in dwg_decode_LEADER /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026 #5 0x7feedd008874 in dwg_decode_add_object /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630 #6 0x7feedcfb73d9 in read_2004_section_handles /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19 #7 0x7feedcfb73d9 in decode_R2004 /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230 #8 0x7feedcf9a049 in dwg_decode /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c #9 0x7feedcf754b1 in dwg_read_file /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11 #10 0x513411 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15 #11 0x7feedbe52b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) 0x60300007ff11 is located 0 bytes to the right of 17-byte region [0x60300007ff00,0x60300007ff11) allocated by thread T0 here: #0 0x4da478 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97 #1 0x7feedd137a9f in dwg_decode_eed /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47 #2 0x7feedd12e7ce in dwg_decode_entity /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32 in dwg_decode_eed_data Shadow bytes around the buggy address: 0x0c0680007f90: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c0680007fa0: 00 05 fa fa 00 00 00 02 fa fa 00 00 01 fa fa fa 0x0c0680007fb0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa 0x0c0680007fc0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c0680007fd0: fd fd fa fa 00 00 00 05 fa fa 00 00 00 02 fa fa =>0x0c0680007fe0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680007ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680008000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0680008010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0680008020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0680008030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==32355==ABORTINGothers
dwg_dxf_BLOCK_CONTROL@dwg.spec:2154-1___out-of-bounds-read
description
commandline
source
bug report
AddressSanitizer:DEADLYSIGNAL ================================================================= ==32364==ERROR: AddressSanitizer: SEGV on unknown address 0x00207fff8003 (pc 0x7f4948e0cf48 bp 0x7fffdb01b150 sp 0x7fffdb01aee0 T0) ==32364==The signal is caused by a READ memory access. #0 0x7f4948e0cf47 in dwg_dxf_BLOCK_CONTROL /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1 #1 0x7f4948e0cf47 in dxf_tables_write /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1421 #2 0x7f4948dce1d5 in dwg_write_dxf /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9 #3 0x513785 in main /home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56 #4 0x7f49476d7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #5 0x41a399 in _start (/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1 in dwg_dxf_BLOCK_CONTROL ==32364==ABORTINGothers
dwg2dxf.tar.gz
And a same report send to savannah.gnu.org/bugs
The text was updated successfully, but these errors were encountered: