| tiêu đề | LibreDWG 0.13.4-154-g0b573035 (main branch, commit 0b573035, 2026-04-29) 内存损坏 (Heap Buffer Overflow - Write) |
|---|
| Mô tả | ### Summary
An AddressSanitizer heap-buffer-overflow WRITE crash is triggered in `decompress_R2004_section()` at `src/decode.c:1295` when parsing a malformed DWG R2004 file with `dwg2dxf --binary`. The out-of-bounds write of size 1 occurs during R2004 section decompression processing, writing past the end of a 29696-byte heap-allocated buffer.
### Affected Component
- **Tool:** dwg2dxf (with --binary flag)
- **File:** src/decode.c:1295 (function `decompress_R2004_section`)
- **Build:** Debug + AddressSanitizer
### Root Cause
The `decompress_R2004_section()` function in `src/decode.c` fails to properly validate the bounds of decompressed data before writing to a heap buffer. The buffer allocated at `read_2004_compressed_section()` (decode.c:2059) has a fixed size of 29696 bytes, but the decompression logic writes 1 byte past this boundary. This issue may be related to an incomplete patch for issue #1243, where similar heap overflow patterns were partially addressed but the underlying root cause was not fully resolved.
### Reproduction Steps
```sh
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
sh autogen.sh
CC=/path/to/afl-clang-fast CXX=/path/to/afl-clang-fast++ \
CFLAGS="-O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \
CXXFLAGS="-std=c++20 -O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \
LDFLAGS="-fsanitize=address -no-pie -pthread -ldl -lm" \
./configure --enable-debug --enable-trace --disable-shared --disable-bindings --disable-docs
make -j$(nproc)
./programs/dwg2dxf --binary <poc_file>
```
### ASan Call Stack (Crash)
```
WRITE of size 1 at 0x62c00003f600 (0 bytes to the right of 29696-byte region)
#0 decompress_R2004_section src/decode.c:1295:27
#1 read_2004_compressed_section src/decode.c:2158:19
#2 read_2004_section_template src/decode.c:3233:11
#3 decode_R2004 src/decode.c:3646:12
#4 dwg_decode src/decode.c:225:12
#5 dwg_read_file src/dwg.c:275:11
#6 main programs/dwg2dxf.c:263:15
```
### Impact
Processing a maliciously crafted DWG file can trigger an out-of-bounds heap write, which may lead to memory corruption, potential code execution, or application crash (denial of service).
### References
- GitHub Issue: https://github.com/LibreDWG/libredwg/issues/1251
- Related Issue: https://github.com/LibreDWG/libredwg/issues/1243
- PoC: https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_0b57303_heap_overflow_decompress_R2004_section.dwg
- Reporter: HackC0der (pwn3rd)
- Date Reported: 2026-04-29 |
|---|
| Nguồn | ⚠️ https://github.com/LibreDWG/libredwg/issues/1251 |
|---|
| Người dùng | Ech06 (UID 98792) |
|---|
| Đệ trình | 08/06/2026 02:22 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 12/07/2026 13:27 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 377849 [GNU LibreDWG 0.13.4-154-g0b573035 R2004 Section Decompression src/decode.c decompress_R2004_section tràn bộ đệm] |
|---|
| điểm | 20 |
|---|