Headline
CVE-2021-42586: Heap-buffer-overflow in copy_bytes in decode_r2007.c:228 · Issue #350 · LibreDWG/libredwg
A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.
Affected version
the latest commit and 0.12.4
What’s the problem?
A heap buffer overflow was discovered in copy_bytes in decode_r2007.c:228.
ASAN report:
./dwgread ./tests_64199
=================================================================
==9330==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005f55 at pc 0x000000ca93c3 bp 0x7ffe5a6134c0 sp 0x7ffe5a6134b8
WRITE of size 1 at 0x62a000005f55 thread T0
#0 0xca93c2 in copy_bytes /root/fuzz/libredwg/src/decode_r2007.c:228:12
#1 0xca431a in decompress_r2007 /root/fuzz/libredwg/src/decode_r2007.c:550:11
#2 0xcaa7fe in read_data_page /root/fuzz/libredwg/src/decode_r2007.c:728:13
#3 0xcaa319 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:811:19
#4 0xc8bee9 in read_2007_section_handles /root/fuzz/libredwg/src/decode_r2007.c:1622:11
#5 0xc83c84 in read_r2007_meta_data /root/fuzz/libredwg/src/decode_r2007.c:2378:12
#6 0x4f9fcc in decode_R2007 /root/fuzz/libredwg/src/decode.c:3836:11
#7 0x4e49ab in dwg_decode /root/fuzz/libredwg/src/decode.c:248:29
#8 0x4c75cc in dwg_read_file /root/fuzz/libredwg/src/dwg.c:254:11
#9 0x4c5d47 in main /root/fuzz/libredwg/programs/dwgread.c
#10 0x7f7541c7483f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x41ba58 in _start (/root/fuzz/pocs/dwgread+0x41ba58)
0x62a000005f55 is located 0 bytes to the right of 23893-byte region [0x62a000000200,0x62a000005f55)
allocated by thread T0 here:
#0 0x495a22 in calloc (/root/fuzz/pocs/dwgread+0x495a22)
#1 0xca9e98 in read_data_section /root/fuzz/libredwg/src/decode_r2007.c:774:26
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/libredwg/src/decode_r2007.c:228:12 in copy_bytes
Shadow bytes around the buggy address:
0x0c547fff8b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff8be0: 00 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa
0x0c547fff8bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9330==ABORTING
Compile command
CC="clang" CFLAGS="-O1 -g -fsanitize=address" ./configure --enable-release --disable-shared && make
How can we reproduce the issue?
unzip tests_64199.zip
dwgread ./tests_64199
POC file : tests_64199.zip