Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FUZZ] SEGV read in dwg2dxf, secondheader_private #890

Closed
iskindar opened this issue Dec 7, 2023 · 1 comment
Closed

[FUZZ] SEGV read in dwg2dxf, secondheader_private #890

iskindar opened this issue Dec 7, 2023 · 1 comment
Assignees
@rurban
Labels
fuzzing Intentional illegal input

Comments

@iskindar
Copy link

iskindar commented Dec 7, 2023

Hello, I found a bug in dwg2dxf.

environment

  • ubuntu 20.04, GCC 9.4.0, libredwg latest commit 76a574c
  • not reproducible on the release 0.12.5

compile with ASAN

export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
./autogen.sh && ./configure --disable-shared && make -j$(nproc)

ASAN Log

root@535d9a1d505e:/# ./programs/dwg2dxf /dwg_poc1
Reading DWG file /dwg_poc1_trim
ERROR: Header CRC mismatch 3030 <=> 9E42
Warning: Fixup illegal Header Length
ERROR: bit_read_BD: unexpected 2-bit code: '11'
ERROR: Invalid BD unit2_ratio
Warning: Header Section[48] CRC mismatch 3030 <=> 5E4D
ERROR: Invalid size 808464432, should be: 298, endpos: 12640

ERROR: Invalid object type 49344, only 0 classes
ERROR: Invalid class index 48844 >= 0
ERROR: MS size overflow @18446744073668669582
ERROR: MS size overflow @18446744073668669582
ERROR: MS size overflow @18446744073668669600
ERROR: MS size overflow @18446744073668669770
ERROR: MS size overflow @18446744073668669818
ERROR: MS size overflow @18446744073668669866
ERROR: MS size overflow @18446744073668669914
ERROR: MS size overflow @18446744073668669962
ERROR: MS size overflow @18446744073668670010
ERROR: MS size overflow @18446744073668670058
ERROR: MS size overflow @18446744073668670106
ERROR: MS size overflow @18446744073668670154
ERROR: MS size overflow @18446744073668670202
ERROR: MS size overflow @18446744073668670250
ERROR: MS size overflow @18446744073668670298
ERROR: MS size overflow @18446744073668670346
ERROR: MS size overflow @18446744073668670394
ERROR: MS size overflow @18446744073668670442
ERROR: MS size overflow @18446744073668670490
ERROR: bit_read_RC buffer overflow at 21600.0 >= 21600
ERROR: MS size overflow @18446744073668670490
ERROR: bit_read_RC buffer overflow at 21600.0 >= 21600
ERROR: bit_read_RC buffer overflow at 21600.0 >= 21600
Warning: handleoff 0x0 looks wrong, max_handles 60 - last_handle 0 = 60 (@21600)
ERROR: bit_read_RC buffer overflow at 21600.0 >= 21600
ERROR: bit_read_RS buffer overflow at 21600.0 >= 21600
ERROR: AddressSanitizer:DEADLYSIGNAL
=================================================================
==167486==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x55fb6333b255 bp 0x7ffe08a3e710 sp 0x7ffe08a3e4a0 T0)
==167486==The signal is caused by a READ memory access.
==167486==Hint: address points to the zero page.
    #0 0x55fb6333b254 in secondheader_private /benchmark_vuln/source/vuln/libredwg/src/2ndheader.spec:42
    #1 0x55fb633182a0 in decode_R13_R2000 /benchmark_vuln/source/vuln/libredwg/src/decode.c:937
    #2 0x55fb632fee27 in dwg_decode /benchmark_vuln/source/vuln/libredwg/src/decode.c:232
    #3 0x55fb632c6369 in dwg_read_file /benchmark_vuln/source/vuln/libredwg/src/dwg.c:268
    #4 0x55fb632c3ed8 in main /benchmark_vuln/source/vuln/libredwg/programs/dwg2dxf.c:261
    #5 0x7fd5a1e00082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #6 0x55fb632c2d6d in _start (/benchmark_vuln/source/vuln/libredwg/programs/dwg2dxf+0x25cd6d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /benchmark_vuln/source/vuln/libredwg/src/2ndheader.spec:42 in secondheader_private
==167486==ABORTING

POC

poc.zip
@rurban rurban self-assigned this Dec 7, 2023
@rurban rurban added the fuzzing Intentional illegal input label Dec 7, 2023
@rurban
Copy link
Contributor

rurban commented Dec 7, 2023
edited
Loading

not dxf related, in dwgread already. a simple NULL deref

rurban added a commit that referenced this issue Dec 7, 2023
@rurban
fix 2ndheader logging null-deref
10c79fd 
Fixes fuzz GH #890
rurban added a commit that referenced this issue Dec 7, 2023
@rurban
fix 2ndheader logging null-deref
835411a 
Fixes fuzz GH #890
@rurban rurban closed this as completed Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rurban rurban

Labels
fuzzing Intentional illegal input
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rurban @iskindar