| Titolo | LibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 内存损坏 (Heap Buffer Overflow - Read) |
|---|
| Descrizione | ### Summary
An AddressSanitizer heap-buffer-overflow READ crash is triggered in `__interceptor_fwrite()` when processing a malformed DWG file with `dwgbmp`. The out-of-bounds read of 31304 bytes occurs during BMP image data writing in `get_bmp()` at `programs/dwgbmp.c:218`. The read extends 0 bytes past the end of a 31407-byte heap-allocated region.
### Affected Component
- **Tool:** dwgbmp
- **File:** programs/dwgbmp.c:218 (function `get_bmp`)
- **Allocation Site:** src/decode.c:435 (function `decode_R13_R2000`)
- **Build:** Debug + AddressSanitizer
### Root Cause
The `get_bmp()` function in `programs/dwgbmp.c` reads data from a buffer allocated during DWG decoding (`decode_R13_R2000` at decode.c:435) and writes it out via `fwrite()`. The buffer size calculation or the BMP data offset/length computation is incorrect when handling malformed input, causing `fwrite()` to attempt reading beyond the allocated heap buffer boundary. This issue is related to issue #1249.
### Reproduction Steps
```sh
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
sh autogen.sh
CC=/path/to/afl-clang-fast CXX=/path/to/afl-clang-fast++ \
CFLAGS="-O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \
CXXFLAGS="-std=c++20 -O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \
LDFLAGS="-fsanitize=address -no-pie -pthread -ldl -lm" \
./configure --enable-debug --enable-trace --disable-shared --disable-bindings --disable-docs
make -j$(nproc)
./programs/dwgbmp <poc_file>
```
### ASan Call Stack (Crash)
```
READ of size 31304 at 0x62c000007caf (0 bytes to the right of 31407-byte region)
#0 __interceptor_fwrite
#1 get_bmp programs/dwgbmp.c:218:12
#2 main programs/dwgbmp.c:342:10
#3 __libc_start_call_main
#4 __libc_start_main
#5 _start
Allocation (31407 bytes):
#0 __interceptor_calloc
#1 decode_R13_R2000 src/decode.c:435:38
#2 dwg_decode src/decode.c:212:12
#3 dwg_read_file src/dwg.c:275:11
#4 get_bmp programs/dwgbmp.c:122:11
#5 main programs/dwgbmp.c:342:10
```
### Impact
Processing a maliciously crafted DWG file with dwgbmp can trigger an out-of-bounds heap read, potentially exposing sensitive heap memory contents or causing application crash (denial of service). The read size (31304 bytes) is substantial.
### References
- GitHub Issue: https://github.com/LibreDWG/libredwg/issues/1252
- Related Issue: https://github.com/LibreDWG/libredwg/issues/1249
- PoC: https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_0b57303_heap_overflow_decode_R13_R2000.dwg
- Reporter: HackC0der (pwn3rd)
- Date Reported: 2026-04-29 |
|---|
| Fonte | ⚠️ https://github.com/LibreDWG/libredwg/issues/1252 |
|---|
| Utente | Ech06 (UID 98792) |
|---|
| Sottomissione | 08/06/2026 02:22 (1 mese fa) |
|---|
| Moderazione | 09/07/2026 06:56 (1 month later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 377109 [GNU LibreDWG fino a 0.13.4 BMP Image src/dwg.c dwg_bmp buffer overflow] |
|---|
| Punti | 20 |
|---|