Discovered 3 use-of-uninitialized-memory bugs while testing fuzzing harnesses

[skorpion98]

Describe the bug

Several “use-of-uninitialized-memory” bugs have been found after testing one of the harnesses provided on the OSS-Fuzz repository (llvmfuzz).

During our tests, we found:

1. conditional jump or move depends on uninitialised value in function dwg_add_u8_input()
2. conditional jump or move depends on uninitialised value in function add_dictionary_itemhandles()
3. conditional jump or move depends on uninitialised value in function dwg_version_hdr_type2()

To Reproduce

Due to size constraints of this report, the archive we used to perform our tests is available at this link, and it contains:

• the executable on which we performed our tests
• a directory bugs containing the several inputs that triggered the aforementioned bugs and their respective Valgrind log, enumerated as the list above

To reproduce the errors, a memory safety tool is required to expose the bug.
Run the given binary with the testcase files inside Valgrind with a command like valgrind ./llvmfuzz /path_to_testcases/input

The program has been tested on the OSS-Fuzz Docker image for this project using Ubuntu 20.04. During the compilation, we built using the flag --sanitizer=none.

The hash commit used to perform the tests is 27118c4.

Environment

• OS: Linux
• Version/Distribution: Ubuntu 20.04
• Architecture: x86_64

We are aware that reporting many bugs at once may be inconvenient, and we remain available to assist you in the bug fixing process.
While our knowledge of the codebase is very limited, we would be happy to provide any helpful information related to our experience with testing for memory-safety errors and to re-test the project as you work on the updates. In general, we’re happy to answer any questions on fuzz testing, sanitizers, and related matters that may help you make the project more secure.