| 标题 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122) |
|---|
| 描述 | A heap-based buffer overflow vulnerability exists in the LibreDWG library, affecting versions up to and including 0.14, and the main branch up to commit 6d6a339 (2026-04-10). The vulnerability resides in the decompress_R2004_section function within src/decode.c at line 1297. This flaw is caused by inadequate boundary validation for the destination decompression buffer when processing maliciously crafted DWG R2004 compressed section input data. The code fails to properly check if the write offset exceeds the allocated size of the pre-allocated heap buffer, resulting in an out-of-bounds heap write of 1 byte during the R2004 section decompression process. An attacker can exploit this vulnerability by supplying a specially crafted DWG file to applications linked against the vulnerable LibreDWG library (e.g., the dwgread utility), leading to a program crash (denial of service) or potential arbitrary code execution. This issue shares call stack similarities with the previously reported vulnerabilities in GitHub issue #126, and is suspected to be an incomplete patch fix where only partial locations were addressed while the root cause remained unaddressed. This vulnerability was fixed in the LibreDWG main branch via commits c5661b6c19dc469d8d8b60ae5bdcf4933898784f and e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 on April 23, 2026, which added strict boundary checks for decompression offsets and buffer sizes to prevent out-of-bounds memory access. |
|---|
| 来源 | ⚠️ https://github.com/LibreDWG/libredwg/issues/1243 |
|---|
| 用户 | pwn3rd (UID 97480) |
|---|
| 提交 | 2026-04-27 17時32分 (1 月前) |
|---|
| 管理 | 2026-05-25 12時04分 (28 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 365484 [GNU LibreDWG 直到 0.14 Dwgread Utility src/decode.c decompress_R2004_section 内存损坏] |
|---|
| 积分 | 20 |
|---|