Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A double free in dwg.spec:7662 #256

Closed
seviezhou opened this issue Aug 1, 2020 · 1 comment
Closed

A double free in dwg.spec:7662 #256

seviezhou opened this issue Aug 1, 2020 · 1 comment
Assignees
@rurban
Labels
fuzzing Intentional illegal input

Comments

@seviezhou
Copy link

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dwgbmp (latest master 4b99ed)

Configure

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

Command line

./programs/dwgbmp ./double-free-dwg_free_MATERIAL_private-dwg.spec-7662 /tmp/a.bmp

AddressSanitizer output

=================================================================
==29185==ERROR: AddressSanitizer: attempting double-free on 0x60c00000b140 in thread T0:
    #0 0x7ff7ab4c22da in free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982da)
    #1 0x55bd65d40854 in dwg_free_MATERIAL_private /home/seviezhou/libredwg/src/dwg.spec:7662
    #2 0x55bd65dec9d4 in dwg_free_MATERIAL /home/seviezhou/libredwg/src/dwg.spec:7640
    #3 0x55bd65e6c14e in dwg_free_object /home/seviezhou/libredwg/src/free.c:862
    #4 0x55bd65e736fc in dwg_free /home/seviezhou/libredwg/src/free.c:1266
    #5 0x55bd65b897d7 in bmp_free_dwg /home/seviezhou/libredwg/programs/dwgbmp.c:95
    #6 0x55bd65b89e1b in get_bmp /home/seviezhou/libredwg/programs/dwgbmp.c:133
    #7 0x55bd65b88bca in main /home/seviezhou/libredwg/programs/dwgbmp.c:301
    #8 0x7ff7aacbcb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x55bd65b893e9 in _start (/home/seviezhou/libredwg/programs/dwgbmp+0x4e23e9)

0x60c00000b140 is located 0 bytes inside of 128-byte region [0x60c00000b140,0x60c00000b1c0)
freed by thread T0 here:
    #0 0x7ff7ab4c22da in free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982da)
    #1 0x55bd657f449b in dwg_decode_MATERIAL_private /home/seviezhou/libredwg/src/dwg.spec:7665
    #2 0xb4  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7ff7ab4c27aa in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x987aa)
    #1 0x55bd657f2777 in dwg_decode_MATERIAL_private /home/seviezhou/libredwg/src/dwg.spec:7662
    #2 0xb4  (<unknown module>)

SUMMARY: AddressSanitizer: double-free ??:0 free
==29185==ABORTING

POC

double-free-dwg_free_MATERIAL_private-dwg.spec-7662.zip
@rurban rurban added the fuzzing Intentional illegal input label Aug 1, 2020
@rurban rurban self-assigned this Aug 1, 2020
rurban added a commit that referenced this issue Aug 1, 2020
@rurban
spec: fix MATERIAL.map
34df8ca 
the 2nd mapper transmatrix was wrong, we need a texture here.
This caused a double-free if map.source == 2.
Only found via fuzzing GH #256 by @seviezhou.
@rurban
Copy link
Contributor

rurban commented Aug 1, 2020

Excellent find!
The spec was wrong here.

rurban added a commit that referenced this issue Aug 1, 2020
@rurban
spec: fix MATERIAL.map
8582ca9 
the 2nd mapper transmatrix was wrong, we need a texture here.
This caused a double-free if map.source == 2.
Only found via fuzzing GH #256 by @seviezhou.
@rurban rurban closed this as completed Aug 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rurban rurban

Labels
fuzzing Intentional illegal input
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rurban @seviezhou