Null pointer dereference in DWGFileR2000::ReadHeader
hac425xxx opened this issue · 0 comments
hac425xxx commented
crash context in gdb
pwndbg> r
Starting program: /home/xxx/workplace/asan/libopencad/build/apps/cadinfo null-ptr-opencad.dwg
Program received signal SIGSEGV, Segmentation fault.
0x000000000049f31c in DWGFileR2000::ReadHeader (this=0x6f6a90, eOptions=CADFile::READ_ALL) at /home/xxx/workplace/asan/libopencad/lib/dwg/r2000.cpp:71
71 pFileIO->Seek( sectionLocatorRecords[0].dSeeker, CADFileIO::SeekOrigin::BEG );
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x478102 ◂— push rbp
RCX 0x0
RDX 0x0
RDI 0x6f6b68 ◂— 0x0
RSI 0x0
R8 0x7fffffffd9df ◂— 0x7fffffffda0000
R9 0x9
R10 0x7ffff75b1fe0 (_IO_strn_jumps) ◂— 0x0
R11 0x1
R12 0x4737a0 (_start) ◂— xor ebp, ebp
R13 0x7fffffffe100 ◂— 0x2
R14 0x0
R15 0x0
RBP 0x7fffffffdc90 —▸ 0x7fffffffdcc0 —▸ 0x7fffffffdd00 —▸ 0x7fffffffdd30 —▸ 0x7fffffffe020 ◂— ...
RSP 0x7fffffffcc20 ◂— 0x0
RIP 0x49f31c (DWGFileR2000::ReadHeader(CADFile::OpenOptions)+98) ◂— mov eax, dword ptr [rax + 4]
─────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────
► 0x49f31c <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+98> mov eax, dword ptr [rax + 4]
0x49f31f <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+101> movsxd rcx, eax
0x49f322 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+104> mov rax, qword ptr [rbp - 0x1058]
0x49f329 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+111> mov rax, qword ptr [rax + 8]
0x49f32d <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+115> mov edx, 0
0x49f332 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+120> mov rsi, rcx
0x49f335 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+123> mov rdi, rax
0x49f338 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+126> call rbx
0x49f33a <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+128> mov rax, qword ptr [rbp - 0x1058]
0x49f341 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+135> mov rax, qword ptr [rax + 8]
0x49f345 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+139> mov rax, qword ptr [rax]
─────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────
In file: /home/xxx/workplace/asan/libopencad/lib/dwg/r2000.cpp
66 {
67 char buffer[255];
68 char * pabyBuf;
69 size_t dHeaderVarsSectionLength = 0;
70
► 71 pFileIO->Seek( sectionLocatorRecords[0].dSeeker, CADFileIO::SeekOrigin::BEG );
72 pFileIO->Read( buffer, DWGSentinelLength );
73 if( memcmp( buffer, DWGHeaderVariablesStart, DWGSentinelLength ) )
74 {
75 DebugMsg( "File is corrupted (wrong pointer to HEADER_VARS section,"
76 "or HEADERVARS starting sentinel corrupted.)" );
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffcc20 ◂— 0x0
... ↓
03:0018│ 0x7fffffffcc38 —▸ 0x6f6a90 —▸ 0x6f0d30 —▸ 0x4b5ff6 (DWGFileR2000::~DWGFileR2000()) ◂— push rbp
04:0020│ 0x7fffffffcc40 ◂— 0x0
... ↓
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
► f 0 49f31c DWGFileR2000::ReadHeader(CADFile::OpenOptions)+98
f 1 4763b0
f 2 475ead
f 3 47604d
f 4 473bf9 main+610
f 5 7ffff7212f45 __libc_start_main+245
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x4)
pwndbg>
poc
https://github.com/hac425xxx/fuzzdata/blob/master/null-ptr-opencad.dwg