libredwg
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[libredwg] [bug #55893] serveral bugs in LibreDWG


From: anonymous
Subject: [libredwg] [bug #55893] serveral bugs in LibreDWG
Date: Tue, 12 Mar 2019 06:47:04 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

URL:
  <https://savannah.gnu.org/bugs/?55893>

                 Summary: serveral bugs in LibreDWG
                 Project: LibreDWG
            Submitted by: None
            Submitted on: Tue 12 Mar 2019 10:47:02 AM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

# libredwg

## version 

    libredwg 0.7 and 0.7.1645

## description

```txt
libredwg
```

## download link

    https://github.com/LibreDWG/libredwg/releases

---------------------

## address@hidden:2034-3___null-pointer-dereference

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function dwg_dxf_LEADER at dwg.spec:2034-3

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
None
```

### bug report

```txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32285==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f4d91d2b51e bp 0x0c22000045e3 sp 0x7ffd87ed4b60 T0)
==32285==The signal is caused by a READ memory access.
==32285==Hint: address points to the zero page.
    #0 0x7f4d91d2b51d in dwg_dxf_LEADER
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3
    #1 0x7f4d91d2b51d in dwg_dxf_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:934
    #2 0x7f4d91ca1ba7 in dxf_entities_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1528:18
    #3 0x7f4d91ca1ba7 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1596
    #4 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #5 0x7f4d905aab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2034:3 in
dwg_dxf_LEADER
==32285==ABORTING

```

### others

    from fuzz project None
    crash name None-00000007-1552381583.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:41

## address@hidden

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
out-of-bounds-read in function bit_read_B at 

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
None
```

### bug report

```txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32294==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6692681af1 (pc
0x7f6675cd7f01 bp 0x0c0800001814 sp 0x7ffc0f5f3ef0 T0)
==32294==The signal is caused by a READ memory access.
    #0 0x7f6675cd7f00 in bit_read_B
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c
    #1 0x7f6675f33256 in obj_string_stream
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode_r2007.c:1126:22
    #2 0x7f6675ea3b0f in dwg_decode_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2738:18
    #3 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ_private
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1
    #4 0x7f6675d81cc6 in dwg_decode_UNKNOWN_OBJ
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530
    #5 0x7f6675d81cc6 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809
    #6 0x7f6675d113d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #7 0x7f6675d113d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #8 0x7f6675cf4049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #9 0x7f6675ccf4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #10 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #11 0x7f6674bacb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c in bit_read_B
==32294==ABORTING

```

### others

    from fuzz project None
    crash name None-00000006-1552381538.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:42

## address@hidden:2353-32___heap-buffer-overflow

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dwg_decode_eed_data at decode.c:2353-32

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
   2348           data->u.eed_4.data[j] = bit_read_RC(dat);
   2349         LOG_TRACE("raw: %s\n", data->u.eed_4.data);
   2350         break;
   2351       case 10: case 11: case 12: case 13: /*case 14: case 15:*/
   2352         data->u.eed_10.point.x = bit_read_RD(dat);
 ► 2353         data->u.eed_10.point.y = bit_read_RD(dat);
   2354         data->u.eed_10.point.z = bit_read_RD(dat);
   2355         LOG_TRACE("3dpoint: %f, %f, %f\n",
   2356                   data->u.eed_10.point.x,
   2357                   data->u.eed_10.point.y,
   2358                   data->u.eed_10.point.z);

```

### bug report

```txt

=================================================================
==32310==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000006740 at pc 0x7efd7e7806c5 bp 0x7ffe71660c30 sp 0x7ffe71660c28
WRITE of size 8 at 0x602000006740 thread T0
    #0 0x7efd7e7806c4 in dwg_decode_eed_data
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32
    #1 0x7efd7e7806c4 in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473
    #2 0x7efd7e7757ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
    #3 0x7efd7e64f874 in dwg_decode_LEADER_private
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1
    #4 0x7efd7e64f874 in dwg_decode_LEADER
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026
    #5 0x7efd7e64f874 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630
    #6 0x7efd7e5fe3d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #7 0x7efd7e5fe3d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #8 0x7efd7e5e1049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #9 0x7efd7e5bc4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #10 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #11 0x7efd7d499b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x602000006740 is located 5 bytes to the right of 11-byte region
[0x602000006730,0x60200000673b)
allocated by thread T0 here:
    #0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7efd7e77ea9f in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47
    #2 0x7efd7e7757ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2353:32 in
dwg_decode_eed_data
Shadow bytes around the buggy address:
  0x0c047fff8c90: fa fa 00 00 fa fa 04 fa fa fa 00 03 fa fa 04 fa
  0x0c047fff8ca0: fa fa 00 03 fa fa 00 06 fa fa 00 00 fa fa 00 00
  0x0c047fff8cb0: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 03
  0x0c047fff8cc0: fa fa 04 fa fa fa 00 03 fa fa 00 06 fa fa 00 03
  0x0c047fff8cd0: fa fa 00 06 fa fa 00 03 fa fa 00 06 fa fa 00 03
=>0x0c047fff8ce0: fa fa 00 06 fa fa 00 03[fa]fa fa fa fa fa fa fa
  0x0c047fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32310==ABORTING

```

### others

    from fuzz project None
    crash name None-00000003-1552381586.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:43

## address@hidden:2523-11___heap-buffer-overflow

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dwg_dxf_LTYPE at dwg.spec:2523-11

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
None
```

### bug report

```txt

=================================================================
==32330==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x608000015008 at pc 0x7eff104ff2d8 bp 0x7ffd1eb7a490 sp 0x7ffd1eb7a488
READ of size 1 at 0x608000015008 thread T0
    #0 0x7eff104ff2d7 in dwg_dxf_LTYPE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11
    #1 0x7eff104de5c1 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11
    #2 0x7eff104b01d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7eff0edb9b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x608000015008 is located 8 bytes to the right of 96-byte region
[0x608000014fa0,0x608000015000)
allocated by thread T0 here:
    #0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7eff0ff7c742 in dwg_add_LINE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877:1
    #2 0x7eff0ff7c742 in dwg_decode_LINE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:877
    #3 0x7eff0ff7c742 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3555
    #4 0x7eff0ff1e3d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #5 0x7eff0ff1e3d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #6 0x7eff0ff01049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #7 0x7eff0fedc4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #8 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #9 0x7eff0edb9b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2523:11 in
dwg_dxf_LTYPE
Shadow bytes around the buggy address:
  0x0c107fffa9b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffa9f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fffaa00: fa[fa]fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa10: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa30: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa40: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fffaa50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32330==ABORTING

```

### others

    from fuzz project None
    crash name None-00000013-1552381572.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:44

## address@hidden:73-3___heap-buffer-overflow

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dxf_header_write at
header_variables_dxf.spec:73-3

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
None
```

### bug report

```txt

=================================================================
==32334==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000005ae0 at pc 0x7f47f17c85b0 bp 0x7ffdfb1fa790 sp 0x7ffdfb1fa788
READ of size 8 at 0x602000005ae0 thread T0
    #0 0x7f47f17c85af in dxf_header_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3
    #1 0x7f47f179d2c9 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1579:3
    #2 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #3 0x7f47f00a7b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #4 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x602000005ae0 is located 8 bytes to the right of 8-byte region
[0x602000005ad0,0x602000005ad8)
allocated by thread T0 here:
    #0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7f47f127cb11 in dwg_add_UNKNOWN_OBJ
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530:1
    #2 0x7f47f127cb11 in dwg_decode_UNKNOWN_OBJ
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:5530
    #3 0x7f47f127cb11 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3809
    #4 0x7f47f120c3d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #5 0x7f47f120c3d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #6 0x7f47f11ef049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #7 0x7f47f11ca4b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #8 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #9 0x7f47f00a7b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./header_variables_dxf.spec:73:3
in dxf_header_write
Shadow bytes around the buggy address:
  0x0c047fff8b00: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b10: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b30: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b40: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8b50: fa fa 00 fa fa fa 00 fa fa fa 00 fa[fa]fa 00 fa
  0x0c047fff8b60: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b70: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8b80: fa fa 00 fa fa fa 00 06 fa fa 00 06 fa fa 00 06
  0x0c047fff8b90: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 06
  0x0c047fff8ba0: fa fa 00 06 fa fa 00 06 fa fa 00 06 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32334==ABORTING

```

### others

    from fuzz project None
    crash name None-00000008-1552381574.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:45

## address@hidden

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function dwg_dxf_LTYPE at 

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.spec
   2482     FIELD_RC (alignment, 72);
   2483   }
   2484   FIELD_RC (num_dashes, 73);
   2485   REPEAT_C(num_dashes, dash, Dwg_LTYPE_dash)
   2486     {
 ► 2487       PRE(R_13)
   2488       {
   2489         FIELD_RD (dash[rcount1].length, 49);
   2490 #ifndef IS_PRINT
   2491         FIELD_VALUE(pattern_len) +=
FIELD_VALUE(dash[rcount1].length);
   2492 #endif

```

### bug report

```txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32338==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fb4e3e7f99c bp 0x7ffe9fb40000 sp 0x7ffe9fb3ec00 T0)
==32338==The signal is caused by a READ memory access.
==32338==Hint: address points to the zero page.
    #0 0x7fb4e3e7f99b in dwg_dxf_LTYPE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec
    #1 0x7fb4e3e61658 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1275:20
    #2 0x7fb4e3e331d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7fb4e273cb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec in dwg_dxf_LTYPE
==32338==ABORTING

```

### others

    from fuzz project None
    crash name None-00000012-1552381601.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:45

## address@hidden:2471-3___null-pointer-dereference

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function dwg_dxf_LTYPE at dwg.spec:2471-3

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
None
```

### bug report

```txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32342==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f7dab4ac4f0 bp 0x3ff0000000000018 sp 0x7fff577b50a0 T0)
==32342==The signal is caused by a READ memory access.
==32342==Hint: address points to the zero page.
    #0 0x7f7dab4ac4ef in dwg_dxf_LTYPE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3
    #1 0x7f7dab48f5c1 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1272:11
    #2 0x7f7dab4611d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7f7da9d6ab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2471:3 in
dwg_dxf_LTYPE
==32342==ABORTING

```

### others

    from fuzz project None
    crash name None-00000010-1552381589.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:45

## address@hidden:1323-3___null-pointer-dereference

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
null-pointer-dereference in function bit_convert_TU at bits.c:1323-3

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
None
```

### bug report

```txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32351==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7feaa5e0727e bp 0x000000000001 sp 0x7fffe83aecc0 T0)
==32351==The signal is caused by a READ memory access.
==32351==Hint: address points to the zero page.
    #0 0x7feaa5e0727d in bit_convert_TU
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3
    #1 0x7feaa63f0ed0 in dwg_dxf_STYLE
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2425:13
    #2 0x7feaa63f0ed0 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1319
    #3 0x7feaa63bc1d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #4 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #5 0x7feaa4cc5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/bits.c:1323:3 in bit_convert_TU
==32351==ABORTING

```

### others

    from fuzz project None
    crash name None-00000001-1552381543.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:46

## address@hidden:2354-32___heap-buffer-overflow

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
heap-buffer-overflow in function dwg_decode_eed_data at decode.c:2354-32

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
In file: /home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
   2349         LOG_TRACE("raw: %s\n", data->u.eed_4.data);
   2350         break;
   2351       case 10: case 11: case 12: case 13: /*case 14: case 15:*/
   2352         data->u.eed_10.point.x = bit_read_RD(dat);
   2353         data->u.eed_10.point.y = bit_read_RD(dat);
 ► 2354         data->u.eed_10.point.z = bit_read_RD(dat);
   2355         LOG_TRACE("3dpoint: %f, %f, %f\n",
   2356                   data->u.eed_10.point.x,
   2357                   data->u.eed_10.point.y,
   2358                   data->u.eed_10.point.z);
   2359         break;

```

### bug report

```txt

=================================================================
==32355==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300007ff11 at pc 0x7feedd1396cf bp 0x7ffeed7b1e10 sp 0x7ffeed7b1e08
WRITE of size 8 at 0x60300007ff11 thread T0
    #0 0x7feedd1396ce in dwg_decode_eed_data
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32
    #1 0x7feedd1396ce in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2473
    #2 0x7feedd12e7ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12
    #3 0x7feedd008874 in dwg_decode_LEADER_private
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026:1
    #4 0x7feedd008874 in dwg_decode_LEADER
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2026
    #5 0x7feedd008874 in dwg_decode_add_object
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:3630
    #6 0x7feedcfb73d9 in read_2004_section_handles
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2100:19
    #7 0x7feedcfb73d9 in decode_R2004
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2230
    #8 0x7feedcf9a049 in dwg_decode
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c
    #9 0x7feedcf754b1 in dwg_read_file
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/dwg.c:186:11
    #10 0x513411 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:225:15
    #11 0x7feedbe52b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

0x60300007ff11 is located 0 bytes to the right of 17-byte region
[0x60300007ff00,0x60300007ff11)
allocated by thread T0 here:
    #0 0x4da478 in calloc
/home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x7feedd137a9f in dwg_decode_eed
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2470:47
    #2 0x7feedd12e7ce in dwg_decode_entity
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2683:12

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/decode.c:2354:32 in
dwg_decode_eed_data
Shadow bytes around the buggy address:
  0x0c0680007f90: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c0680007fa0: 00 05 fa fa 00 00 00 02 fa fa 00 00 01 fa fa fa
  0x0c0680007fb0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
  0x0c0680007fc0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680007fd0: fd fd fa fa 00 00 00 05 fa fa 00 00 00 02 fa fa
=>0x0c0680007fe0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680007ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680008000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0680008010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0680008020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0680008030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32355==ABORTING

```

### others

    from fuzz project None
    crash name None-00000004-1552381550.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:46

## address@hidden:2154-1___out-of-bounds-read

### description

    An issue was discovered in libredwg 0.7 and 0.7.1645, There is a/an
out-of-bounds-read in function dwg_dxf_BLOCK_CONTROL at dwg.spec:2154-1

### commandline

    dwg2dxf @@ -o /dev/null

### source

```c
None
```

### bug report

```txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32364==ERROR: AddressSanitizer: SEGV on unknown address 0x00207fff8003 (pc
0x7f4948e0cf48 bp 0x7fffdb01b150 sp 0x7fffdb01aee0 T0)
==32364==The signal is caused by a READ memory access.
    #0 0x7f4948e0cf47 in dwg_dxf_BLOCK_CONTROL
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1
    #1 0x7f4948e0cf47 in dxf_tables_write
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1421
    #2 0x7f4948dce1d5 in dwg_write_dxf
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/out_dxf.c:1589:9
    #3 0x513785 in main
/home/pwd/git-fuzz/libredwg/libredwg-0.7/programs/dwg2dxf.c:255:56
    #4 0x7f49476d7b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a399 in _start
(/home/pwd/git-fuzz/libredwg/libredwg-0.7/installed-asan/bin/dwg2dxf+0x41a399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/pwd/git-fuzz/libredwg/libredwg-0.7/src/./dwg.spec:2154:1 in
dwg_dxf_BLOCK_CONTROL
==32364==ABORTING

```

### others

    from fuzz project None
    crash name None-00000005-1552381649.dwg
    Auto-generated by pyspider at 2019-03-12 18:15:47





    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?55893>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]