Hello LibreDWG maintainers, I’d like to report a security issue in LibreDWG.
Summary - Vulnerability: heap-buffer-overflow (OOB write) - Component/File: dwg_object_material_texture_diffusemap.c (material texture diffusemap parser) - Impact: crash (DoS) and potential memory corruption (exploitability depends on build/allocator) - Affected: confirmed on v0.13.3.7901 (commit: <commit_hash>) with ASAN Reproduction 1. Build (example): ./configure CC=clang CFLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer" make -j 2. Run: ./dwgread <poc_file> 3. Result: AddressSanitizer reports heap-buffer-overflow WRITE and aborts. ASAN Report / Crash Details - (paste the key ASAN lines + stack trace here) - Crash location: / file:line Root Cause (hypothesis) - <briefly explain why parsing allows attacker-controlled count/recursion without sufficient bounds/remaining-bytes checks> Proof-of-Concept - I’m attaching the PoC file to this email. Please let me know if you prefer a different delivery method (e.g., password-protected archive). Suggested Fix (idea) - Validate attacker-controlled counts (e.g., num_gentextures) against a reasonable upper bound and ensure enough data remains before decoding. - Consider limiting recursion depth / validating subclass parsing results before continuing. Disclosure - I’m reporting this privately and will wait for your guidance on a coordinated disclosure timeline. Thanks, woozhin Contact: [email protected]
poc_crash1
Description: Binary data
heap_oob_write_material_texture_diffusemap.md
Description: Binary data
