heap-buffer-overflow exists in the function dwg_decode_MATERIAL_private in /src/dwg.spec:9073 #1037
Description
System info
Ubuntu 20.04.6 LTS
version: last commit 8e961a8
Compile options
CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" ./configure --disable-shared --disable-bindings --enable-release
Command line
./programs/dwg2dxf ./poc
Poc
poc: poc
AddressSanitizer output
==2252737==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x622000002fc8 at pc 0x555556069858 bp 0x7fffffffafb0 sp 0x7fffffffafa0
WRITE of size 8 at 0x622000002fc8 thread T0
#0 0x555556069857 in dwg_decode_MATERIAL_private /fuzz/libredwg-crash/src/dwg.spec:9073
#1 0x555556013f6a in dwg_decode_MATERIAL /fuzz/libredwg-crash/src/dwg.spec:9048
#2 0x5555565532d5 in dwg_decode_variable_type /fuzz/libredwg-crash/src/classes.inc:277
#3 0x5555565766eb in dwg_decode_add_object /fuzz/libredwg-crash/src/decode.c:5497
#4 0x55555581ede1 in read_2004_section_handles /fuzz/libredwg-crash/src/decode.c:2472
#5 0x555555896919 in decode_R2004 /fuzz/libredwg-crash/src/decode.c:3423
#6 0x5555557f62f9 in dwg_decode /fuzz/libredwg-crash/src/decode.c:240
#7 0x5555557bb389 in dwg_read_file /fuzz/libredwg-crash/src/dwg.c:275
#8 0x5555557b8ef8 in main /fuzz/libredwg-crash/programs/dwg2dxf.c:261
#9 0x7ffff7275082 in __libc_start_main ../csu/libc-start.c:308
#10 0x5555557b7d8d in _start (/fuzz/libredwg-crash/programs/dwg2dxf+0x263d8d)
0x622000002fc8 is located 0 bytes to the right of 5832-byte region [0x622000001900,0x622000002fc8)
allocated by thread T0 here:
#0 0x7ffff769fa06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x555556011a95 in dwg_decode_MATERIAL_Texture_diffusemap_private /fuzz/libredwg-crash/src/dwg.spec:9045
#2 0x5555560697e1 in dwg_decode_MATERIAL_private /fuzz/libredwg-crash/src/dwg.spec:9073
#3 0x555556013f6a in dwg_decode_MATERIAL /fuzz/libredwg-crash/src/dwg.spec:9048
#4 0x5555565532d5 in dwg_decode_variable_type /fuzz/libredwg-crash/src/classes.inc:277
#5 0x5555565766eb in dwg_decode_add_object /fuzz/libredwg-crash/src/decode.c:5497
#6 0x55555581ede1 in read_2004_section_handles /fuzz/libredwg-crash/src/decode.c:2472
#7 0x555555896919 in decode_R2004 /fuzz/libredwg-crash/src/decode.c:3423
#8 0x5555557f62f9 in dwg_decode /fuzz/libredwg-crash/src/decode.c:240
#9 0x5555557bb389 in dwg_read_file /fuzz/libredwg-crash/src/dwg.c:275
#10 0x5555557b8ef8 in main /fuzz/libredwg-crash/programs/dwg2dxf.c:261
#11 0x7ffff7275082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzz/libredwg-crash/src/dwg.spec:9073 in dwg_decode_MATERIAL_private
Shadow bytes around the buggy address:
0x0c447fff85a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fff85e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c447fff85f0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x0c447fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff8610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2252737==ABORTING