sandyre/libopencad

heapoverflow in libopencad

hac425xxx opened this issue · 0 comments

hac425xxx commented

AddressSanitizer output:

~/workplace/asan/libopencad/build$ ./apps/cadinfo ppp.dwg 
=================================================================
==85678== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000d630 at pc 0x4ea8c8 bp 0x7ffde620cc50 sp 0x7ffde620cc48
READ of size 8 at 0x60040000d630 thread T0
    #0 0x4ea8c7 (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x4ea8c7)
    #1 0x4bda94 (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x4bda94)
    #2 0x477d75 (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x477d75)
    #3 0x47749c (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x47749c)
    #4 0x47768d (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x47768d)
    #5 0x47426c (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x47426c)
    #6 0x7fc872206f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
    #7 0x473ca8 (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x473ca8)
0x60040000d634 is located 0 bytes to the right of 4-byte region [0x60040000d630,0x60040000d634)
allocated by thread T0 here:
    #0 0x7fc872ddf88a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1188a)
    #1 0x4bd9bb (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x4bd9bb)
    #2 0x477d75 (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x477d75)
    #3 0x47749c (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x47749c)
    #4 0x47768d (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x47768d)
    #5 0x47426c (/home/xxx/workplace/asan/libopencad/build/apps/cadinfo+0x47426c)
    #6 0x7fc872206f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
Shadow bytes around the buggy address:
  0x0c00ffff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c00ffff9ac0: fa fa fa fa fa fa[04]fa fa fa fd fa fa fa fd fa
  0x0c00ffff9ad0: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa fd fa
  0x0c00ffff9ae0: fa fa 01 fa fa fa fd fa fa fa fd fa fa fa 01 fa
  0x0c00ffff9af0: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa fd fa
  0x0c00ffff9b00: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa fd fa
  0x0c00ffff9b10: fa fa 01 fa fa fa fd fa fa fa fd fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==85678== ABORTING

poc

https://github.com/hac425xxx/fuzzdata/blob/master/heapoverflow-opencad.dwg