जमा करें #851190: LibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 内存损坏 (Heap Buffer Overflow - Write)जानकारी

शीर्षकLibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 内存损坏 (Heap Buffer Overflow - Write)
विवरण### Summary An AddressSanitizer heap-buffer-overflow WRITE crash is triggered in `decompress_R2004_section()` at `src/decode.c:1295` when parsing a malformed DWG R2004 file with `dwg2dxf --binary`. The out-of-bounds write of size 1 occurs during R2004 section decompression processing, writing past the end of a 29696-byte heap-allocated buffer. ### Affected Component - **Tool:** dwg2dxf (with --binary flag) - **File:** src/decode.c:1295 (function `decompress_R2004_section`) - **Build:** Debug + AddressSanitizer ### Root Cause The `decompress_R2004_section()` function in `src/decode.c` fails to properly validate the bounds of decompressed data before writing to a heap buffer. The buffer allocated at `read_2004_compressed_section()` (decode.c:2059) has a fixed size of 29696 bytes, but the decompression logic writes 1 byte past this boundary. This issue may be related to an incomplete patch for issue #1243, where similar heap overflow patterns were partially addressed but the underlying root cause was not fully resolved. ### Reproduction Steps ```sh git clone https://github.com/LibreDWG/libredwg.git cd libredwg sh autogen.sh CC=/path/to/afl-clang-fast CXX=/path/to/afl-clang-fast++ \ CFLAGS="-O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \ CXXFLAGS="-std=c++20 -O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \ LDFLAGS="-fsanitize=address -no-pie -pthread -ldl -lm" \ ./configure --enable-debug --enable-trace --disable-shared --disable-bindings --disable-docs make -j$(nproc) ./programs/dwg2dxf --binary <poc_file> ``` ### ASan Call Stack (Crash) ``` WRITE of size 1 at 0x62c00003f600 (0 bytes to the right of 29696-byte region) #0 decompress_R2004_section src/decode.c:1295:27 #1 read_2004_compressed_section src/decode.c:2158:19 #2 read_2004_section_template src/decode.c:3233:11 #3 decode_R2004 src/decode.c:3646:12 #4 dwg_decode src/decode.c:225:12 #5 dwg_read_file src/dwg.c:275:11 #6 main programs/dwg2dxf.c:263:15 ``` ### Impact Processing a maliciously crafted DWG file can trigger an out-of-bounds heap write, which may lead to memory corruption, potential code execution, or application crash (denial of service). ### References - GitHub Issue: https://github.com/LibreDWG/libredwg/issues/1251 - Related Issue: https://github.com/LibreDWG/libredwg/issues/1243 - PoC: https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_0b57303_heap_overflow_decompress_R2004_section.dwg - Reporter: HackC0der (pwn3rd) - Date Reported: 2026-04-29
स्रोत⚠️ https://github.com/LibreDWG/libredwg/issues/1251
उपयोगकर्ता
 Ech06 (UID 98792)
सबमिशन08/06/2026 02:22 AM (1 महीना पहले)
संयम12/07/2026 01:27 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि377849 [GNU LibreDWG 0.13.4-154-g0b573035 R2004 Section Decompression src/decode.c decompress_R2004_section बफ़र ओवरफ़्लो]
अंक20

Do you need the next level of professionalism?

Upgrade your account now!