Headline
CVE-2023-25222: heap-buffer-overflow in function bit_read_RC at bits.c:320 · Issue #615 · LibreDWG/libredwg
A heap-based buffer overflow vulnerability exits in GNU LibreDWG v0.12.5 via the bit_read_RC function at bits.c.
Description
heap-buffer-overflow in function bit_read_RC at bits.c:320
Version
git log
commit 3c90dc6641e11e486666940d7f354d2df54503d6 (HEAD -> master, tag: 0.12.5.5010, origin/master, origin/HEAD)
Author: Michal Josef Špaček <[email protected]>
Date: Fri Jan 27 18:50:08 2023 +0100
Steps to reproduce
apt install jing libjaxp1.3-java libbatik-java libavalon-framework-java
git clone https://github.com/LibreDWG/libredwg.git
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
cd libredwg
sh ./autogen.sh
./configure --enable-release --enable-trace --disable-shared
make -j
cd programs
./dwg2dxf -b -m ./poc_hbo01.bin -o /dev/null
Reading DWG file ./poc_hbo01.bin
=================================================================
==3322912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000007f at pc 0x0000004f4ebf bp 0x7fffffffaca0 sp 0x7fffffffac98
READ of size 1 at 0x61700000007f thread T0
#0 0x4f4ebe in bit_read_RC /home/fuzz/libredwg/src/bits.c:320:10
#1 0x4f5b15 in bit_read_RS /home/fuzz/libredwg/src/bits.c:380:11
#2 0x4f6155 in bit_read_RL /home/fuzz/libredwg/src/bits.c:443:11
#3 0x51d38f in decode_R13_R2000 /home/fuzz/libredwg/src/decode.c:682:9
#4 0x515806 in dwg_decode /home/fuzz/libredwg/src/decode.c:225:38
#5 0x4ce9c3 in dwg_read_file /home/fuzz/libredwg/src/dwg.c:255:11
#6 0x4cb903 in main /home/fuzz/libredwg/programs/dwg2dxf.c:258:15
#7 0x7ffff7c49082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x41d4bd in _start (/home/fuzz/libredwg/programs/dwg2dxf+0x41d4bd)
0x61700000007f is located 1 bytes to the left of 652-byte region [0x617000000080,0x61700000030c)
allocated by thread T0 here:
#0 0x498892 in calloc (/home/fuzz/libredwg/programs/dwg2dxf+0x498892)
#1 0x4ccfc7 in dat_read_file /home/fuzz/libredwg/src/dwg.c:91:33
#2 0x4ce911 in dwg_read_file /home/fuzz/libredwg/src/dwg.c:248:15
#3 0x4cb903 in main /home/fuzz/libredwg/programs/dwg2dxf.c:258:15
#4 0x7ffff7c49082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/libredwg/src/bits.c:320:10 in bit_read_RC
Shadow bytes around the buggy address:
0x0c2e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c2e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3322912==ABORTING
POC
poc_hbo01.bin
Impact
This vulnerability is capable of crashing software, bypass protection mechanism, modify of memory, and successful exploitation may lead to code execution.