Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in DWGFileR2000::ReadHeader #48

Open
hac425xxx opened this issue Oct 22, 2019 · 0 comments
Open

Null pointer dereference in DWGFileR2000::ReadHeader #48

hac425xxx opened this issue Oct 22, 2019 · 0 comments

Comments

@hac425xxx
Copy link

crash context in gdb

pwndbg> r
Starting program: /home/xxx/workplace/asan/libopencad/build/apps/cadinfo null-ptr-opencad.dwg

Program received signal SIGSEGV, Segmentation fault.
0x000000000049f31c in DWGFileR2000::ReadHeader (this=0x6f6a90, eOptions=CADFile::READ_ALL) at /home/xxx/workplace/asan/libopencad/lib/dwg/r2000.cpp:71
71      pFileIO->Seek( sectionLocatorRecords[0].dSeeker, CADFileIO::SeekOrigin::BEG );
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x478102 ◂— push   rbp
 RCX  0x0
 RDX  0x0
 RDI  0x6f6b68 ◂— 0x0
 RSI  0x0
 R8   0x7fffffffd9df ◂— 0x7fffffffda0000
 R9   0x9
 R10  0x7ffff75b1fe0 (_IO_strn_jumps) ◂— 0x0
 R11  0x1
 R12  0x4737a0 (_start) ◂— xor    ebp, ebp
 R13  0x7fffffffe100 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x7fffffffdc90 —▸ 0x7fffffffdcc0 —▸ 0x7fffffffdd00 —▸ 0x7fffffffdd30 —▸ 0x7fffffffe020 ◂— ...
 RSP  0x7fffffffcc20 ◂— 0x0
 RIP  0x49f31c (DWGFileR2000::ReadHeader(CADFile::OpenOptions)+98) ◂— mov    eax, dword ptr [rax + 4]
─────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────
 ► 0x49f31c <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+98>     mov    eax, dword ptr [rax + 4]
   0x49f31f <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+101>    movsxd rcx, eax
   0x49f322 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+104>    mov    rax, qword ptr [rbp - 0x1058]
   0x49f329 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+111>    mov    rax, qword ptr [rax + 8]
   0x49f32d <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+115>    mov    edx, 0
   0x49f332 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+120>    mov    rsi, rcx
   0x49f335 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+123>    mov    rdi, rax
   0x49f338 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+126>    call   rbx
 
   0x49f33a <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+128>    mov    rax, qword ptr [rbp - 0x1058]
   0x49f341 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+135>    mov    rax, qword ptr [rax + 8]
   0x49f345 <DWGFileR2000::ReadHeader(CADFile::OpenOptions)+139>    mov    rax, qword ptr [rax]
─────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────
In file: /home/xxx/workplace/asan/libopencad/lib/dwg/r2000.cpp
   66 {
   67     char buffer[255];
   68     char * pabyBuf;
   69     size_t dHeaderVarsSectionLength = 0;
   70 
 ► 71     pFileIO->Seek( sectionLocatorRecords[0].dSeeker, CADFileIO::SeekOrigin::BEG );
   72     pFileIO->Read( buffer, DWGSentinelLength );
   73     if( memcmp( buffer, DWGHeaderVariablesStart, DWGSentinelLength ) )
   74     {
   75         DebugMsg( "File is corrupted (wrong pointer to HEADER_VARS section,"
   76                           "or HEADERVARS starting sentinel corrupted.)" );
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffcc20 ◂— 0x0
... ↓
03:0018│      0x7fffffffcc38 —▸ 0x6f6a90 —▸ 0x6f0d30 —▸ 0x4b5ff6 (DWGFileR2000::~DWGFileR2000()) ◂— push   rbp
04:0020│      0x7fffffffcc40 ◂— 0x0
... ↓
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► f 0           49f31c DWGFileR2000::ReadHeader(CADFile::OpenOptions)+98
   f 1           4763b0
   f 2           475ead
   f 3           47604d
   f 4           473bf9 main+610
   f 5     7ffff7212f45 __libc_start_main+245
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x4)
pwndbg>

poc

https://github.com/hac425xxx/fuzzdata/blob/master/null-ptr-opencad.dwg
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hac425xxx