[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libredwg] [bug #55893] serveral bugs in LibreDWG
|
From: |
anonymous |
|
Subject: |
[libredwg] [bug #55893] serveral bugs in LibreDWG |
|
Date: |
Tue, 12 Mar 2019 06:47:04 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 |
URL:
<https://savannah.gnu.org/bugs/?55893>
Summary: serveral bugs in LibreDWG
Project: LibreDWG
Submitted by: None
Submitted on: Tue 12 Mar 2019 10:47:02 AM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
# libredwg
## version
libredwg 0.7 and 0.7.1645
## description
```txt
libredwg
```
## download link
https://github.com/LibreDWG/libredwg/releases
---------------------
## address@hidden:2034-3___null-pointer-dereference
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function dwg_dxf_LEADER at dwg.spec:2034-3
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
None
```
### bug report
```txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32285==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f4d91d2b51e bp 0x0c22000045e3 sp 0x7ffd87ed4b60 T0)
==32285==The signal is caused by a READ memory access.
==32285==Hint: address points to the zero page.
#0 0x7f4d91d2b51d in dwg_dxf_LEADER
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3
#1 0x7f4d91d2b51d in dwg_dxf_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:934
#2 0x7f4d91ca1ba7 in dxf_entities_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1528:18
#3 0x7f4d91ca1ba7 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1596
#4 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
#5 0x7f4d905aab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3 in
dwg_dxf_LEADER
==32285==ABORTING
```
### others
from fuzz project None
crash name None-00000007-1552381583.dwg
Auto-generated by pyspider at 2019-03-12 18:15:41
## address@hidden
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
out-of-bounds-read in function bit_read_B at
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
None
```
### bug report
```txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32294==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6692681af1 (pc
0x7f6675cd7f01 bp 0x0c0800001814 sp 0x7ffc0f5f3ef0 T0)
==32294==The signal is caused by a READ memory access.
#0 0x7f6675cd7f00 in bit_read_B
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c
#1 0x7f6675f33256 in obj_string_stream
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode_r2007.c:1126:22
#2 0x7f6675ea3b0f in dwg_decode_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2738:18
#3 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ_private
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1
#4 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530
#5 0x7f6675d81cc6 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809
#6 0x7f6675d113d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
#7 0x7f6675d113d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
#8 0x7f6675cf4049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
#9 0x7f6675ccf4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
#10 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
#11 0x7f6674bacb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c in bit_read_B
==32294==ABORTING
```
### others
from fuzz project None
crash name None-00000006-1552381538.dwg
Auto-generated by pyspider at 2019-03-12 18:15:42
## address@hidden:2353-32___heap-buffer-overflow
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dwg_decode_eed_data at decode.c:2353-32
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
2348 data->u.eed_4.data[j] = bit_read_RC(dat);
2349 LOG_TRACE("raw: %s\n", data->u.eed_4.data);
2350 break;
2351 case 10: case 11: case 12: case 13: /*case 14: case 15:*/
2352 data->u.eed_10.point.x = bit_read_RD(dat);
► 2353 data->u.eed_10.point.y = bit_read_RD(dat);
2354 data->u.eed_10.point.z = bit_read_RD(dat);
2355 LOG_TRACE("3dpoint: %f, %f, %f\n",
2356 data->u.eed_10.point.x,
2357 data->u.eed_10.point.y,
2358 data->u.eed_10.point.z);
```
### bug report
```txt
=================================================================
==32310==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000006740 at pc 0x7efd7e7806c5 bp 0x7ffe71660c30 sp 0x7ffe71660c28
WRITE of size 8 at 0x602000006740 thread T0
#0 0x7efd7e7806c4 in dwg_decode_eed_data
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32
#1 0x7efd7e7806c4 in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473
#2 0x7efd7e7757ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
#3 0x7efd7e64f874 in dwg_decode_LEADER_private
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1
#4 0x7efd7e64f874 in dwg_decode_LEADER
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026
#5 0x7efd7e64f874 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630
#6 0x7efd7e5fe3d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
#7 0x7efd7e5fe3d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
#8 0x7efd7e5e1049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
#9 0x7efd7e5bc4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
#10 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
#11 0x7efd7d499b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
0x602000006740 is located 5 bytes to the right of 11-byte region
[0x602000006730,0x60200000673b)
allocated by thread T0 here:
#0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
#1 0x7efd7e77ea9f in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47
#2 0x7efd7e7757ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32 in
dwg_decode_eed_data
Shadow bytes around the buggy address:
0x0c047fff8c90: fa fa 00 00 fa fa 04 fa fa fa 00 03 fa fa 04 fa
0x0c047fff8ca0: fa fa 00 03 fa fa 00 06 fa fa 00 00 fa fa 00 00
0x0c047fff8cb0: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 03
0x0c047fff8cc0: fa fa 04 fa fa fa 00 03 fa fa 00 06 fa fa 00 03
0x0c047fff8cd0: fa fa 00 06 fa fa 00 03 fa fa 00 06 fa fa 00 03
=>0x0c047fff8ce0: fa fa 00 06 fa fa 00 03[fa]fa fa fa fa fa fa fa
0x0c047fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32310==ABORTING
```
### others
from fuzz project None
crash name None-00000003-1552381586.dwg
Auto-generated by pyspider at 2019-03-12 18:15:43
## address@hidden:2523-11___heap-buffer-overflow
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dwg_dxf_LTYPE at dwg.spec:2523-11
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
None
```
### bug report
```txt
=================================================================
==32330==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x608000015008 at pc 0x7eff104ff2d8 bp 0x7ffd1eb7a490 sp 0x7ffd1eb7a488
READ of size 1 at 0x608000015008 thread T0
#0 0x7eff104ff2d7 in dwg_dxf_LTYPE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11
#1 0x7eff104de5c1 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11
#2 0x7eff104b01d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
#3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
#4 0x7eff0edb9b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
0x608000015008 is located 8 bytes to the right of 96-byte region
[0x608000014fa0,0x608000015000)
allocated by thread T0 here:
#0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
#1 0x7eff0ff7c742 in dwg_add_LINE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877:1
#2 0x7eff0ff7c742 in dwg_decode_LINE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877
#3 0x7eff0ff7c742 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3555
#4 0x7eff0ff1e3d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
#5 0x7eff0ff1e3d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
#6 0x7eff0ff01049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
#7 0x7eff0fedc4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
#8 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
#9 0x7eff0edb9b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11 in
dwg_dxf_LTYPE
Shadow bytes around the buggy address:
0x0c107fffa9b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa9c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa9d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa9e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa9f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fffaa00: fa[fa]fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffaa10: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffaa20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffaa30: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffaa40: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffaa50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32330==ABORTING
```
### others
from fuzz project None
crash name None-00000013-1552381572.dwg
Auto-generated by pyspider at 2019-03-12 18:15:44
## address@hidden:73-3___heap-buffer-overflow
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dxf_header_write at
header_variables_dxf.spec:73-3
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
None
```
### bug report
```txt
=================================================================
==32334==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000005ae0 at pc 0x7f47f17c85b0 bp 0x7ffdfb1fa790 sp 0x7ffdfb1fa788
READ of size 8 at 0x602000005ae0 thread T0
#0 0x7f47f17c85af in dxf_header_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3
#1 0x7f47f179d2c9 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1579:3
#2 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
#3 0x7f47f00a7b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#4 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
0x602000005ae0 is located 8 bytes to the right of 8-byte region
[0x602000005ad0,0x602000005ad8)
allocated by thread T0 here:
#0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
#1 0x7f47f127cb11 in dwg_add_UNKNOWN_OBJ
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1
#2 0x7f47f127cb11 in dwg_decode_UNKNOWN_OBJ
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530
#3 0x7f47f127cb11 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809
#4 0x7f47f120c3d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
#5 0x7f47f120c3d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
#6 0x7f47f11ef049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
#7 0x7f47f11ca4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
#8 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
#9 0x7f47f00a7b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3
in dxf_header_write
Shadow bytes around the buggy address:
0x0c047fff8b00: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8b10: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8b20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8b30: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8b40: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8b50: fa fa 00 fa fa fa 00 fa fa fa 00 fa[fa]fa 00 fa
0x0c047fff8b60: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8b70: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8b80: fa fa 00 fa fa fa 00 06 fa fa 00 06 fa fa 00 06
0x0c047fff8b90: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 06
0x0c047fff8ba0: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32334==ABORTING
```
### others
from fuzz project None
crash name None-00000008-1552381574.dwg
Auto-generated by pyspider at 2019-03-12 18:15:45
## address@hidden
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function dwg_dxf_LTYPE at
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.spec
2482 FIELD_RC (alignment, 72);
2483 }
2484 FIELD_RC (num_dashes, 73);
2485 REPEAT_C(num_dashes, dash, Dwg_LTYPE_dash)
2486 {
► 2487 PRE(R_13)
2488 {
2489 FIELD_RD (dash[rcount1].length, 49);
2490 #ifndef IS_PRINT
2491 FIELD_VALUE(pattern_len) +=
FIELD_VALUE(dash[rcount1].length);
2492 #endif
```
### bug report
```txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32338==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fb4e3e7f99c bp 0x7ffe9fb40000 sp 0x7ffe9fb3ec00 T0)
==32338==The signal is caused by a READ memory access.
==32338==Hint: address points to the zero page.
#0 0x7fb4e3e7f99b in dwg_dxf_LTYPE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec
#1 0x7fb4e3e61658 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1275:20
#2 0x7fb4e3e331d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
#3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
#4 0x7fb4e273cb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec in dwg_dxf_LTYPE
==32338==ABORTING
```
### others
from fuzz project None
crash name None-00000012-1552381601.dwg
Auto-generated by pyspider at 2019-03-12 18:15:45
## address@hidden:2471-3___null-pointer-dereference
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function dwg_dxf_LTYPE at dwg.spec:2471-3
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
None
```
### bug report
```txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32342==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f7dab4ac4f0 bp 0x3ff0000000000018 sp 0x7fff577b50a0 T0)
==32342==The signal is caused by a READ memory access.
==32342==Hint: address points to the zero page.
#0 0x7f7dab4ac4ef in dwg_dxf_LTYPE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3
#1 0x7f7dab48f5c1 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11
#2 0x7f7dab4611d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
#3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
#4 0x7f7da9d6ab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3 in
dwg_dxf_LTYPE
==32342==ABORTING
```
### others
from fuzz project None
crash name None-00000010-1552381589.dwg
Auto-generated by pyspider at 2019-03-12 18:15:45
## address@hidden:1323-3___null-pointer-dereference
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function bit_convert_TU at bits.c:1323-3
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
None
```
### bug report
```txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32351==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7feaa5e0727e bp 0x000000000001 sp 0x7fffe83aecc0 T0)
==32351==The signal is caused by a READ memory access.
==32351==Hint: address points to the zero page.
#0 0x7feaa5e0727d in bit_convert_TU
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3
#1 0x7feaa63f0ed0 in dwg_dxf_STYLE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2425:13
#2 0x7feaa63f0ed0 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1319
#3 0x7feaa63bc1d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
#4 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
#5 0x7feaa4cc5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3 in bit_convert_TU
==32351==ABORTING
```
### others
from fuzz project None
crash name None-00000001-1552381543.dwg
Auto-generated by pyspider at 2019-03-12 18:15:46
## address@hidden:2354-32___heap-buffer-overflow
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dwg_decode_eed_data at decode.c:2354-32
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
2349 LOG_TRACE("raw: %s\n", data->u.eed_4.data);
2350 break;
2351 case 10: case 11: case 12: case 13: /*case 14: case 15:*/
2352 data->u.eed_10.point.x = bit_read_RD(dat);
2353 data->u.eed_10.point.y = bit_read_RD(dat);
► 2354 data->u.eed_10.point.z = bit_read_RD(dat);
2355 LOG_TRACE("3dpoint: %f, %f, %f\n",
2356 data->u.eed_10.point.x,
2357 data->u.eed_10.point.y,
2358 data->u.eed_10.point.z);
2359 break;
```
### bug report
```txt
=================================================================
==32355==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300007ff11 at pc 0x7feedd1396cf bp 0x7ffeed7b1e10 sp 0x7ffeed7b1e08
WRITE of size 8 at 0x60300007ff11 thread T0
#0 0x7feedd1396ce in dwg_decode_eed_data
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32
#1 0x7feedd1396ce in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473
#2 0x7feedd12e7ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
#3 0x7feedd008874 in dwg_decode_LEADER_private
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1
#4 0x7feedd008874 in dwg_decode_LEADER
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026
#5 0x7feedd008874 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630
#6 0x7feedcfb73d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
#7 0x7feedcfb73d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
#8 0x7feedcf9a049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
#9 0x7feedcf754b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
#10 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
#11 0x7feedbe52b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
0x60300007ff11 is located 0 bytes to the right of 17-byte region
[0x60300007ff00,0x60300007ff11)
allocated by thread T0 here:
#0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
#1 0x7feedd137a9f in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47
#2 0x7feedd12e7ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32 in
dwg_decode_eed_data
Shadow bytes around the buggy address:
0x0c0680007f90: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c0680007fa0: 00 05 fa fa 00 00 00 02 fa fa 00 00 01 fa fa fa
0x0c0680007fb0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
0x0c0680007fc0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c0680007fd0: fd fd fa fa 00 00 00 05 fa fa 00 00 00 02 fa fa
=>0x0c0680007fe0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680007ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680008000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0680008010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0680008020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0680008030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32355==ABORTING
```
### others
from fuzz project None
crash name None-00000004-1552381550.dwg
Auto-generated by pyspider at 2019-03-12 18:15:46
## address@hidden:2154-1___out-of-bounds-read
### description
An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
out-of-bounds-read in function dwg_dxf_BLOCK_CONTROL at dwg.spec:2154-1
### commandline
dwg2dxf @@ -o /dev/null
### source
```c
None
```
### bug report
```txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32364==ERROR: AddressSanitizer: SEGV on unknown address 0x00207fff8003 (pc
0x7f4948e0cf48 bp 0x7fffdb01b150 sp 0x7fffdb01aee0 T0)
==32364==The signal is caused by a READ memory access.
#0 0x7f4948e0cf47 in dwg_dxf_BLOCK_CONTROL
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1
#1 0x7f4948e0cf47 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1421
#2 0x7f4948dce1d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
#3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
#4 0x7f49476d7b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1 in
dwg_dxf_BLOCK_CONTROL
==32364==ABORTING
```
### others
from fuzz project None
crash name None-00000005-1552381649.dwg
Auto-generated by pyspider at 2019-03-12 18:15:47
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?55893>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [libredwg] [bug #55893] serveral bugs in LibreDWG,
anonymous <=