Invia #851191: LibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 内存损坏 (Heap Buffer Overflow - Read)informazioni

TitoloLibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 内存损坏 (Heap Buffer Overflow - Read)
Descrizione### Summary An AddressSanitizer heap-buffer-overflow READ crash is triggered in `__interceptor_fwrite()` when processing a malformed DWG file with `dwgbmp`. The out-of-bounds read of 31304 bytes occurs during BMP image data writing in `get_bmp()` at `programs/dwgbmp.c:218`. The read extends 0 bytes past the end of a 31407-byte heap-allocated region. ### Affected Component - **Tool:** dwgbmp - **File:** programs/dwgbmp.c:218 (function `get_bmp`) - **Allocation Site:** src/decode.c:435 (function `decode_R13_R2000`) - **Build:** Debug + AddressSanitizer ### Root Cause The `get_bmp()` function in `programs/dwgbmp.c` reads data from a buffer allocated during DWG decoding (`decode_R13_R2000` at decode.c:435) and writes it out via `fwrite()`. The buffer size calculation or the BMP data offset/length computation is incorrect when handling malformed input, causing `fwrite()` to attempt reading beyond the allocated heap buffer boundary. This issue is related to issue #1249. ### Reproduction Steps ```sh git clone https://github.com/LibreDWG/libredwg.git cd libredwg sh autogen.sh CC=/path/to/afl-clang-fast CXX=/path/to/afl-clang-fast++ \ CFLAGS="-O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \ CXXFLAGS="-std=c++20 -O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \ LDFLAGS="-fsanitize=address -no-pie -pthread -ldl -lm" \ ./configure --enable-debug --enable-trace --disable-shared --disable-bindings --disable-docs make -j$(nproc) ./programs/dwgbmp <poc_file> ``` ### ASan Call Stack (Crash) ``` READ of size 31304 at 0x62c000007caf (0 bytes to the right of 31407-byte region) #0 __interceptor_fwrite #1 get_bmp programs/dwgbmp.c:218:12 #2 main programs/dwgbmp.c:342:10 #3 __libc_start_call_main #4 __libc_start_main #5 _start Allocation (31407 bytes): #0 __interceptor_calloc #1 decode_R13_R2000 src/decode.c:435:38 #2 dwg_decode src/decode.c:212:12 #3 dwg_read_file src/dwg.c:275:11 #4 get_bmp programs/dwgbmp.c:122:11 #5 main programs/dwgbmp.c:342:10 ``` ### Impact Processing a maliciously crafted DWG file with dwgbmp can trigger an out-of-bounds heap read, potentially exposing sensitive heap memory contents or causing application crash (denial of service). The read size (31304 bytes) is substantial. ### References - GitHub Issue: https://github.com/LibreDWG/libredwg/issues/1252 - Related Issue: https://github.com/LibreDWG/libredwg/issues/1249 - PoC: https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_0b57303_heap_overflow_decode_R13_R2000.dwg - Reporter: HackC0der (pwn3rd) - Date Reported: 2026-04-29
Fonte⚠️ https://github.com/LibreDWG/libredwg/issues/1252
Utente
 Ech06 (UID 98792)
Sottomissione08/06/2026 02:22 (1 mese fa)
Moderazione09/07/2026 06:56 (1 month later)
StatoAccettato
Voce VulDB377109 [GNU LibreDWG fino a 0.13.4 BMP Image src/dwg.c dwg_bmp buffer overflow]
Punti20

Do you know our Splunk app?

Download it now for free!