LibreDWG
heap-buffer-overflow exists in the function dwg_decode_MATERIAL_private in /src/dwg.spec:9073
System info Ubuntu 20.04.6 LTS version: last commit https://github.com/LibreDWG/libredwg/commit/8e961a8ead7818b72f36bdf9eccd0d330e6ea231
Compile options CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" ./configure --disable-shared --disable-bindings --enable-release
Command line ./programs/dwg2dxf ./poc
Poc poc: poc
AddressSanitizer output ==2252737==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x622000002fc8 at pc 0x555556069858 bp 0x7fffffffafb0 sp 0x7fffffffafa0 WRITE of size 8 at 0x622000002fc8 thread T0 #0 0x555556069857 in dwg_decode_MATERIAL_private /fuzz/libredwg-crash/src/dwg.spec:9073 #1 0x555556013f6a in dwg_decode_MATERIAL /fuzz/libredwg-crash/src/dwg.spec:9048 #2 0x5555565532d5 in dwg_decode_variable_type /fuzz/libredwg-crash/src/classes.inc:277 #3 0x5555565766eb in dwg_decode_add_object /fuzz/libredwg-crash/src/decode.c:5497 #4 0x55555581ede1 in read_2004_section_handles /fuzz/libredwg-crash/src/decode.c:2472 #5 0x555555896919 in decode_R2004 /fuzz/libredwg-crash/src/decode.c:3423 #6 0x5555557f62f9 in dwg_decode /fuzz/libredwg-crash/src/decode.c:240 #7 0x5555557bb389 in dwg_read_file /fuzz/libredwg-crash/src/dwg.c:275 #8 0x5555557b8ef8 in main /fuzz/libredwg-crash/programs/dwg2dxf.c:261 #9 0x7ffff7275082 in __libc_start_main ../csu/libc-start.c:308 #10 0x5555557b7d8d in _start (/fuzz/libredwg-crash/programs/dwg2dxf+0x263d8d)
0x622000002fc8 is located 0 bytes to the right of 5832-byte region [0x622000001900,0x622000002fc8) allocated by thread T0 here: #0 0x7ffff769fa06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x555556011a95 in dwg_decode_MATERIAL_Texture_diffusemap_private /fuzz/libredwg-crash/src/dwg.spec:9045 #2 0x5555560697e1 in dwg_decode_MATERIAL_private /fuzz/libredwg-crash/src/dwg.spec:9073 #3 0x555556013f6a in dwg_decode_MATERIAL /fuzz/libredwg-crash/src/dwg.spec:9048 #4 0x5555565532d5 in dwg_decode_variable_type /fuzz/libredwg-crash/src/classes.inc:277 #5 0x5555565766eb in dwg_decode_add_object /fuzz/libredwg-crash/src/decode.c:5497 #6 0x55555581ede1 in read_2004_section_handles /fuzz/libredwg-crash/src/decode.c:2472 #7 0x555555896919 in decode_R2004 /fuzz/libredwg-crash/src/decode.c:3423 #8 0x5555557f62f9 in dwg_decode /fuzz/libredwg-crash/src/decode.c:240 #9 0x5555557bb389 in dwg_read_file /fuzz/libredwg-crash/src/dwg.c:275 #10 0x5555557b8ef8 in main /fuzz/libredwg-crash/programs/dwg2dxf.c:261 #11 0x7ffff7275082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzz/libredwg-crash/src/dwg.spec:9073 in dwg_decode_MATERIAL_private Shadow bytes around the buggy address: 0x0c447fff85a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fff85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fff85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fff85e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c447fff85f0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa 0x0c447fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff8610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2252737==ABORTING
