Open hac425xxx opened 4 years ago
crash context
pwndbg> r Starting program: /home/xxx/workplace/asan/libopencad/build/cadinfo_debug heapoverflow-2-opencad.dwg Program received signal SIGSEGV, Segmentation fault. 0x00000000004c2788 in Read2B (pabyInput=0x7035e0 "D5D\\\304\061\001Q\251DiDeD>\035*", nBitOffsetFromStart=@0x7fffffffc868: 9166815975) at /home/xxx/workplace/asan/libopencad/lib/dwg/io.cpp:58 58 memcpy( a2BBytes, p2BByte, 2 ); LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ───────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────── RAX 0x44bc863c RBX 0x478102 ◂— push rbp RCX 0x1 RDX 0x7035e0 ◂— 0x510131c45c443544 RDI 0x7035e0 ◂— 0x510131c45c443544 RSI 0x7fffffffc868 ◂— 0x2226282e7 R8 0x703280 ◂— 0xe821b93232b637a4 R9 0x0 R10 0x7fffffffc560 —▸ 0x703080 ◂— 0x91d19e49120400a0 R11 0x7ffff737c310 ◂— jle 0x7ffff737c2bc R12 0x4737a0 (_start) ◂— xor ebp, ebp R13 0x7fffffffe100 ◂— 0x2 R14 0x0 R15 0x0 RBP 0x7fffffffc820 —▸ 0x7fffffffdaa0 —▸ 0x7fffffffdc10 —▸ 0x7fffffffdc60 —▸ 0x7fffffffdc90 ◂— ... RSP 0x7fffffffc820 —▸ 0x7fffffffdaa0 —▸ 0x7fffffffdc10 —▸ 0x7fffffffdc60 —▸ 0x7fffffffdc90 ◂— ... RIP 0x4c2788 ◂— movzx eax, word ptr [rax] ─────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────── ► 0x4c2788 movzx eax, word ptr [rax] 0x4c278b mov word ptr [rbp - 0x20], ax 0x4c278f mov rax, qword ptr [rbp - 0x10] 0x4c2793 cmp rax, 7 0x4c2797 jne 0x4c27b1 ↓ 0x4c27b1 movzx eax, byte ptr [rbp - 0x20] 0x4c27b5 movzx edx, al 0x4c27b8 mov rax, qword ptr [rbp - 0x10] 0x4c27bc mov ecx, 6 0x4c27c1 sub ecx, eax 0x4c27c3 mov eax, ecx ─────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────── In file: /home/xxx/workplace/asan/libopencad/lib/dwg/io.cpp 53 size_t nByteOffset = nBitOffsetFromStart / 8; 54 size_t nBitOffsetInByte = nBitOffsetFromStart % 8; 55 56 const char * p2BByte = pabyInput + nByteOffset; 57 unsigned char a2BBytes[2]; ► 58 memcpy( a2BBytes, p2BByte, 2 ); 59 60 switch( nBitOffsetInByte ) 61 { 62 case 7: 63 result = ( a2BBytes[0] & binary(00000001) ) << 1; ─────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────── 00:0000│ rbp rsp 0x7fffffffc820 —▸ 0x7fffffffdaa0 —▸ 0x7fffffffdc10 —▸ 0x7fffffffdc60 —▸ 0x7fffffffdc90 ◂— ... 01:0008│ 0x7fffffffc828 —▸ 0x4a61dd ◂— mov byte ptr [rbp - 0x1130], al 02:0010│ 0x7fffffffc830 —▸ 0x7fffffffcacf ◂— 0xec0e332900 03:0018│ 0x7fffffffc838 ◂— 0x7f00ffffc809 04:0020│ 0x7fffffffc840 ◂— 0x1f 05:0028│ 0x7fffffffc848 —▸ 0x6f6a90 —▸ 0x6f0d30 —▸ 0x4b5ff6 (DWGFileR2000::~DWGFileR2000()) ◂— push rbp 06:0030│ 0x7fffffffc850 ◂— 0x117fffffffcaf0 07:0038│ 0x7fffffffc858 ◂— 0x354400000100 ───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────── ► f 0 4c2788 f 1 4a61dd f 2 47e63c f 3 47e1b2 f 4 476469 CADFile::ReadTables(CADFile::OpenOptions)+43 f 5 476429 f 6 475ead f 7 47604d f 8 473bf9 main+610 f 9 7ffff7212f45 __libc_start_main+245 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Program received signal SIGSEGV (fault address 0x44bc863c) pwndbg>
program crash because p2BByte is inaccessible.
p2BByte
const char * p2BByte = pabyInput + nByteOffset; unsigned char a2BBytes[2]; memcpy( a2BBytes, p2BByte, 2 );
the pabyInput is a heap buffer which contain the content of our input dwg file and nByteOffset is too large.
pabyInput
pwndbg> p/x nByteOffset $2 = 0x444c505c pwndbg>
This lead to heap buffer overflow
The poc
https://github.com/hac425xxx/fuzzdata/blob/master/heapoverflow-2-opencad.dwg
crash context
program crash because
p2BByte
is inaccessible.the
pabyInput
is a heap buffer which contain the content of our input dwg file and nByteOffset is too large.This lead to heap buffer overflow
The poc