Headline
CVE-2020-21676: Xfig / Tickets / #76 stack-buffer-overflow in genpstrx_text at genpstricks.c:2732
A stack-based buffer overflow in the genpstrx_text() component in genpstricks.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pstricks format.
- Summary
- Files
- Reviews
- Support
- Tickets
- Discussion
- Git ▾
- fig2dev
- xfig
Menu ▾ ▴
Status: closed
Owner: nobody
Labels: None
Updated: 2020-12-21
Created: 2019-12-28
Private: No
Hi,
I found a stack-buffer-overflow in genpstrx_text at genpstricks.c:2732
Please run following command to reproduce it,
ASAN LOG
==48149==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffcd1c7b00 at pc 0x00000044823a bp 0x7fffcd1b7880 sp 0x7fffcd1b7030 WRITE of size 35 at 0x7fffcd1c7b00 thread T0 #0 0x448239 in vsprintf (/home/tmp/fig2dev+0x448239) #1 0x448566 in __interceptor_sprintf (/home/tmp/fig2dev+0x448566) #2 0x81943b in genpstrx_text /home/tmp/mcj-fig2dev/fig2dev/dev/genpstricks.c:2732:5 #3 0x54b8bb in gendev_objects /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:1003:6 #4 0x54b8bb in main /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:480 #5 0x7fb45a113b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #6 0x41b3a9 in _start (/home/tmp/fig2dev+0x41b3a9)
Address 0x7fffcd1c7b00 is located in stack of thread T0 at offset 65856 in frame #0 0x817a5f in genpstrx_text /home/tmp/mcj-fig2dev/fig2dev/dev/genpstricks.c:2714
This frame has 2 object(s): [32, 65568) ‘formatted_text’ (line 2716) [65824, 65856) ‘angle’ (line 2717) <== Memory access at offset 65856 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/tmp/fig2dev+0x448239) in vsprintf Shadow bytes around the buggy address: 0x100079a30f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f30: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 0x100079a30f40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x100079a30f50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 =>0x100079a30f60:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f70: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 f3 f3 0x100079a30f80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==48149==ABORTING
fig2dev Version 3.2.7b
1 Attachments
Discussion
Log in to post a comment.
Related news
Ubuntu Security Notice 5864-1 - Frederic Cambus discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.