Heap-buffer-overflow in io.cpp:331 and io.cpp:444
kky0h opened this issue · 0 comments
kky0h commented
Hi, I found some heap overflow when I compiled 'cadinfo' with ASan(use options -fsanitize=address),
==135828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000d3dc at pc 0x4ebdbf bp 0x7ffe5f02d0c0 sp 0x7ffe5f02d0b8
READ of size 2 at 0x60600000d3dc thread T0
#0 0x4ebdbe in ReadCHAR(char const*, unsigned long&) /home/xxxx/testapp/libopencad-master/lib/dwg/io.cpp:331
#1 0x4ed98f in ReadHANDLE(char const*, unsigned long&) /home/xxxx/testapp/libopencad-master/lib/dwg/io.cpp:693
#2 0x4d672f in DWGFileR2000::getXRecord(long, char const*, unsigned long&) /home/xxxx/testapp/libopencad-master/lib/dwg/r2000.cpp:3773
#3 0x4c05de in DWGFileR2000::GetObject(long, bool) /home/xxxx/testapp/libopencad-master/lib/dwg/r2000.cpp:982
#4 0x4d7d40 in DWGFileR2000::GetNOD() /home/xxxx/testapp/libopencad-master/lib/dwg/r2000.cpp:3879
#5 0x472c6a in main /home/xxxx/testapp/libopencad-master/apps/cadinfo.cpp:129
#6 0x7fe52e607f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#7 0x4724d8 (/home/xxxx/testapp/libopencad-master/cadinfo+0x4724d8)
0x60600000d3dd is located 0 bytes to the right of 61-byte region [0x60600000d3a0,0x60600000d3dd)
allocated by thread T0 here:
#0 0x7fe52f23827f in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5527f)
#1 0x4bf24f in DWGFileR2000::GetObject(long, bool) /home/xxxx/testapp/libopencad-master/lib/dwg/r2000.cpp:778
#2 0x4d7d40 in DWGFileR2000::GetNOD() /home/xxxx/testapp/libopencad-master/lib/dwg/r2000.cpp:3879
#3 0x472c6a in main /home/xxxx/testapp/libopencad-master/apps/cadinfo.cpp:129
#4 0x7fe52e607f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xxxx/testapp/libopencad-master/lib/dwg/io.cpp:331 ReadCHAR(char const*, unsigned long&)
Shadow bytes around the buggy address:
0x0c0c7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9a60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c7fff9a70: fa fa fa fa 00 00 00 00 00 00 00[05]fa fa fa fa
0x0c0c7fff9a80: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9a90: 00 00 00 01 fa fa fa fa 00 00 00 00 00 00 00 01
0x0c0c7fff9aa0: fa fa fa fa 00 00 00 00 00 00 00 01 fa fa fa fa
0x0c0c7fff9ab0: 00 00 00 00 00 00 00 01 fa fa fa fa 00 00 00 00
0x0c0c7fff9ac0: 00 00 00 01 fa fa fa fa 00 00 00 00 00 00 00 01
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==135828==ABORTING
And
==163526==ERROR: AddressSanitizer: unknown-crash on address 0x61700000fb9e at pc 0x4ec6d8 bp 0x7ffca1e30940 sp 0x7ffca1e30938
READ of size 8 at 0x61700000fb9e thread T0
#0 0x4ec6d7 in ReadMCHAR(char const*, unsigned long&) /home/xxxx/testapp/libopencad-master/lib/dwg/io.cpp:444
#1 0x4bedc9 in DWGFileR2000::CreateFileMap() /home/xxxx/testapp/libopencad-master/lib/dwg/r2000.cpp:737
#2 0x476b89 in CADFile::ParseFile(CADFile::OpenOptions, bool) /home/xxxx/testapp/libopencad-master/lib/cadfile.cpp:86
#3 0x47629c in OpenCADFile(CADFileIO*, CADFile::OpenOptions, bool) /home/xxxx/testapp/libopencad-master/lib/opencad.cpp:104
#4 0x476490 in OpenCADFile(char const*, CADFile::OpenOptions, bool) /home/xxxx/testapp/libopencad-master/lib/opencad.cpp:190
#5 0x472b14 in main /home/xxxx/testapp/libopencad-master/apps/cadinfo.cpp:111
#6 0x7f6ce110cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#7 0x4724d8 (/home/xxxx/testapp/libopencad-master/cadinfo+0x4724d8)
0x61700000fba5 is located 0 bytes to the right of 677-byte region [0x61700000f900,0x61700000fba5)
allocated by thread T0 here:
#0 0x7f6ce1d3d27f in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5527f)
#1 0x4becd3 in DWGFileR2000::CreateFileMap() /home/xxxx/testapp/libopencad-master/lib/dwg/r2000.cpp:727
#2 0x476b89 in CADFile::ParseFile(CADFile::OpenOptions, bool) /home/xxxx/testapp/libopencad-master/lib/cadfile.cpp:86
#3 0x47629c in OpenCADFile(CADFileIO*, CADFile::OpenOptions, bool) /home/xxxx/testapp/libopencad-master/lib/opencad.cpp:104
#4 0x476490 in OpenCADFile(char const*, CADFile::OpenOptions, bool) /home/xxxxx/testapp/libopencad-master/lib/opencad.cpp:190
#5 0x472b14 in main /home/xxxxx/testapp/libopencad-master/apps/cadinfo.cpp:111
#6 0x7f6ce110cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: unknown-crash /home/xxxx/testapp/libopencad-master/lib/dwg/io.cpp:444 ReadMCHAR(char const*, unsigned long&)
Shadow bytes around the buggy address:
0x0c2e7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff9f70: 00 00 00[00]05 fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==163526==ABORTING