search of the elements of the formats that 2004 and 2007 have not yet been implemented and create issues

create debian package

Linking problems in path with space in the name

If you try to compile the project in a directory with spaces in the name, it fails while running in a "sed" command.

invail pointer deference in libredwg

libredwg(crash)

github address

https://github.com/ArchimedesCAD/libredwg

compile the test case in the source

./configure
make
gcc testSVG.c -I../src/ ../src/.libs/libredwg.a -lm  -o fuzz_svg

test with poc

./fuzz_svg segment_poc

the gdb output

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x1f5 
RBX: 0x0 
RCX: 0x1b 
RDX: 0x2 
RSI: 0x629390 --> 0x4003 
RDI: 0x6d1480 --> 0x3000000017 
RBP: 0x7fffffffd690 --> 0x7fffffffd6f0 --> 0x7fffffffe240 --> 0x7fffffffe260 --> 0x0 
RSP: 0x7fffffffd668 --> 0x40171d (<output_BLOCK_HEADER+227>:	mov    QWORD PTR [rbp-0x10],rax)
RIP: 0x401e0f (<get_first_owned_object+63>:	mov    rax,QWORD PTR [rax])
R8 : 0x7fffffff 
R9 : 0x414fc0 ("Found null object reference. Could not output an SVG symbol for this BLOCK_HEADER\n")
R10: 0x7ffff7acc6a0 --> 0x0 
R11: 0x246 
R12: 0x400d90 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe340 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x401e00 <get_first_owned_object+48>:	repz ret 
   0x401e02 <get_first_owned_object+50>:	nop    WORD PTR [rax+rax*1+0x0]
   0x401e08 <get_first_owned_object+56>:	mov    rax,QWORD PTR [rsi+0x98]
=> 0x401e0f <get_first_owned_object+63>:	mov    rax,QWORD PTR [rax]
   0x401e12 <get_first_owned_object+66>:	ret    
   0x401e13:	data32 data32 data32 nop WORD PTR cs:[rax+rax*1+0x0]
   0x401e20 <get_next_owned_object>:	mov    rax,QWORD PTR [rdi+0x30]
   0x401e24 <get_next_owned_object+4>:	mov    eax,DWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd668 --> 0x40171d (<output_BLOCK_HEADER+227>:	mov    QWORD PTR [rbp-0x10],rax)
0008| 0x7fffffffd670 --> 0x41519c --> 0x3e736665643c09 ('\t<defs>')
0016| 0x7fffffffd678 --> 0x6295f0 --> 0x6d1480 --> 0x3000000017 
0024| 0x7fffffffd680 --> 0x0 
0032| 0x7fffffffd688 --> 0x629390 --> 0x4003 
0040| 0x7fffffffd690 --> 0x7fffffffd6f0 --> 0x7fffffffe240 --> 0x7fffffffe260 --> 0x0 
0048| 0x7fffffffd698 --> 0x401935 (<output_SVG+469>:	add    DWORD PTR [rbp-0x34],0x1)
0056| 0x7fffffffd6a0 --> 0x40d1a0a52e680c34 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000401e0f in get_first_owned_object (hdr_obj=0x6d1480, hdr=0x629390) at dwg.c:359
359	      return hdr->first_entity->obj;
gdb-peda$ p hdr->first_entity 
$1 = (Dwg_Object_Ref *) 0x1f5   # !!!!!!   illegal pointer
gdb-peda$ p hdr->first_entity->obj
Cannot access memory at address 0x1f5
gdb-peda$

As you can see, the hdr->first_entity is now a illegal pointer , and we got crash

Program received signal SIGSEGV, Segmentation fault.

By using asan , I found this is an heap overflow vulnerability

the binary and the poc:

http://hac425.unaux.com/usr/uploads/2018/07/2407654350.zip

archimedescad / libredwg Goto Github PK

libredwg's Issues

search of the elements of the formats that 2004 and 2007 have not yet been implemented and create issues

create debian package

Linking problems in path with space in the name

invail pointer deference in libredwg

libredwg(crash)

create DWG 2010, 2007, 2004, 2000.

implement dwg 2010

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent