提出 #851192: LibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 空指针解引用 (NULL Pointer Dereference)情報

タイトルLibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 空指针解引用 (NULL Pointer Dereference)
説明### Summary An AddressSanitizer SEGV crash caused by NULL pointer dereference is triggered in `dwg_next_entity()` at `src/dwg.c:1231:42` when processing a malformed DWG file with `dwggrep`. The crash occurs due to an invalid read access to zero-page address `0x000000000030` during DWG entity traversal in the BLOCK_HEADER matching path. ### Affected Component - **Tool:** dwggrep - **File:** src/dwg.c:1231:42 (function `dwg_next_entity`) - **Caller:** src/dwg.c:1271 (`get_next_owned_entity`) → programs/dwggrep.c:1690 (`match_BLOCK_HEADER`) - **Build:** Debug + AddressSanitizer ### Root Cause The `dwg_next_entity()` function at `src/dwg.c:1231` dereferences a pointer without prior NULL validation. When `dwggrep` processes a malformed DWG file, the entity traversal encounters an object reference that leads to a NULL or near-NULL pointer (offset 0x30 from zero page). The dereference at line 1231 causes a SEGV on unknown address `0x000000000030`. The hint "address points to the zero page" indicates the code is accessing a struct member through a NULL pointer (`NULL->member` where member is at offset 0x30). ### Reproduction Steps ```sh git clone https://github.com/LibreDWG/libredwg.git cd libredwg sh autogen.sh CC=/path/to/afl-clang-fast CXX=/path/to/afl-clang-fast++ \ CFLAGS="-O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \ CXXFLAGS="-std=c++20 -O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \ LDFLAGS="-fsanitize=address -no-pie -pthread -ldl -lm" \ ./configure --enable-debug --enable-trace --disable-shared --disable-bindings --disable-docs make -j$(nproc) ./programs/dwggrep test <poc_file> ``` ### ASan Call Stack (Crash) ``` SEGV on unknown address 0x000000000030 (READ, zero page) #0 dwg_next_entity src/dwg.c:1231:42 #1 get_next_owned_entity src/dwg.c:1271:13 #2 match_BLOCK_HEADER programs/dwggrep.c:1690:14 #3 main programs/dwggrep.c:2035:18 #4 __libc_start_call_main #5 __libc_start_main #6 _start ``` ### Impact Processing a maliciously crafted DWG file with dwggrep triggers a NULL pointer dereference, causing immediate application crash (segmentation fault). This results in denial of service. While a NULL pointer dereference on modern systems typically only causes a crash, in certain embedded or kernel contexts it could have more severe implications. ### References - GitHub Issue: https://github.com/LibreDWG/libredwg/issues/1253 - PoC: https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_0b57303_dwggrep_segv_null_read_dwg_next_entity_dwg.c_1231.dwg - Reporter: HackC0der (pwn3rd) - Date Reported: 2026-04-29
ソース⚠️ https://github.com/LibreDWG/libredwg/issues/1253
ユーザー
 Ech06 (UID 98792)
送信2026年06月08日 02:23 (1 月 ago)
モデレーション2026年07月09日 07:00 (1 month later)
ステータス承諾済み
VulDBエントリ377110 [GNU LibreDWG 迄 0.13.4 DWG File src/dwg.c dwg_next_entity next_obj サービス拒否]
ポイント20

Do you want to use VulDB in your project?

Use the official API to access entries easily!