Headline
CVE-2021-37529: Xfig / Tickets
A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).
System info
Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)
****Command line****
./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null
Output
No such picture file: …/…/fig2dev/ 0 0 675 0 675 375 0 0 0 5 *** Error in `…/…/fig2dev’: double free or corruption (!prev): 0x0000000000cfc030 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777f5)[0x7f7fd7b6f7f5] /lib/x86_64-linux-gnu/libc.so.6(+0x8038a)[0x7f7fd7b7838a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7fd7b7c58c] …/…/fig2dev[0x4bbb2b] …/…/fig2dev[0x47accd] …/…/fig2dev[0x411b24] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7fd7b18840] …/…/fig2dev[0x402c09] ======= Memory map: ======== 00400000-004ec000 r-xp 00000000 08:11 27664590 …/…/fig2dev 006ec000-006ed000 r–p 000ec000 08:11 27664590 …/…/fig2dev 006ed000-00700000 rw-p 000ed000 08:11 27664590 …/…/fig2dev 00700000-0071b000 rw-p 00000000 00:00 0 00cfb000-00d1c000 rw-p 00000000 00:00 0 [heap] 7f7fd0000000-7f7fd0021000 rw-p 00000000 00:00 0 7f7fd0021000-7f7fd4000000 —p 00000000 00:00 0 7f7fd7579000-7f7fd7590000 r-xp 00000000 08:02 12582916 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f7fd7590000-7f7fd778f000 —p 00017000 08:02 12582916 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f7fd778f000-7f7fd7790000 r–p 00016000 08:02 12582916 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f7fd7790000-7f7fd7791000 rw-p 00017000 08:02 12582916 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f7fd7791000-7f7fd7af8000 r–p 00000000 08:02 38010883 /usr/lib/locale/locale-archive 7f7fd7af8000-7f7fd7cb8000 r-xp 00000000 08:02 12583571 /lib/x86_64-linux-gnu/libc-2.23.so 7f7fd7cb8000-7f7fd7eb8000 —p 001c0000 08:02 12583571 /lib/x86_64-linux-gnu/libc-2.23.so 7f7fd7eb8000-7f7fd7ebc000 r–p 001c0000 08:02 12583571 /lib/x86_64-linux-gnu/libc-2.23.so 7f7fd7ebc000-7f7fd7ebe000 rw-p 001c4000 08:02 12583571 /lib/x86_64-linux-gnu/libc-2.23.so 7f7fd7ebe000-7f7fd7ec2000 rw-p 00000000 00:00 0 7f7fd7ec2000-7f7fd7fca000 r-xp 00000000 08:02 12583566 /lib/x86_64-linux-gnu/libm-2.23.so 7f7fd7fca000-7f7fd81c9000 —p 00108000 08:02 12583566 /lib/x86_64-linux-gnu/libm-2.23.so 7f7fd81c9000-7f7fd81ca000 r–p 00107000 08:02 12583566 /lib/x86_64-linux-gnu/libm-2.23.so 7f7fd81ca000-7f7fd81cb000 rw-p 00108000 08:02 12583566 /lib/x86_64-linux-gnu/libm-2.23.so 7f7fd81cb000-7f7fd81e4000 r-xp 00000000 08:02 12583082 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f7fd81e4000-7f7fd83e3000 —p 00019000 08:02 12583082 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f7fd83e3000-7f7fd83e4000 r–p 00018000 08:02 12583082 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f7fd83e4000-7f7fd83e5000 rw-p 00019000 08:02 12583082 /lib/x86_64-linux-gnu/libz.so.1.2.8 7f7fd83e5000-7f7fd8409000 r-xp 00000000 08:02 12583492 /lib/x86_64-linux-gnu/libpng12.so.0.54.0 7f7fd8409000-7f7fd8608000 —p 00024000 08:02 12583492 /lib/x86_64-linux-gnu/libpng12.so.0.54.0 7f7fd8608000-7f7fd8609000 r–p 00023000 08:02 12583492 /lib/x86_64-linux-gnu/libpng12.so.0.54.0 7f7fd8609000-7f7fd860a000 rw-p 00024000 08:02 12583492 /lib/x86_64-linux-gnu/libpng12.so.0.54.0 7f7fd860a000-7f7fd8630000 r-xp 00000000 08:02 12583562 /lib/x86_64-linux-gnu/ld-2.23.so 7f7fd87fb000-7f7fd8800000 rw-p 00000000 00:00 0 7f7fd882e000-7f7fd882f000 rw-p 00000000 00:00 0 7f7fd882f000-7f7fd8830000 r–p 00025000 08:02 12583562 /lib/x86_64-linux-gnu/ld-2.23.so 7f7fd8830000-7f7fd8831000 rw-p 00026000 08:02 12583562 /lib/x86_64-linux-gnu/ld-2.23.so 7f7fd8831000-7f7fd8832000 rw-p 00000000 00:00 0 7ffc8c5c7000-7ffc8c5e8000 rw-p 00000000 00:00 0 [stack] 7ffc8c5ec000-7ffc8c5ee000 r–p 00000000 00:00 0 [vvar] 7ffc8c5ee000-7ffc8c5f0000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] [1] 32228 abort …/…/fig2dev -L
AddressSanitizer output
No such picture file: …/…/fig2dev/ 0 0 675 0 675 375 0 0 0 5 ================================================================= ==28522==ERROR: AddressSanitizer: attempting double-free on 0x610000007d40 in thread T0: #0 0x7f58f241532a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a) #1 0x519594 in free_stream …/…/fig2dev/fig2dev/dev/readpics.c:62 #2 0x4b2b32 in genps_line …/…/fig2dev/fig2dev/dev/genps.c:1674 #3 0x412a7d in gendev_objects …/…/fig2dev/fig2dev/fig2dev.c:1008 #4 0x411481 in main …/…/fig2dev/fig2dev/fig2dev.c:485 #5 0x7f58f188b83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #6 0x4032f8 in _start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)
0x610000007d40 is located 0 bytes inside of 180-byte region [0x610000007d40,0x610000007df4) freed by thread T0 here: #0 0x7f58f241532a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a) #1 0x519594 in free_stream …/…/fig2dev/fig2dev/dev/readpics.c:62 #2 0x51a022 in open_stream …/…/fig2dev/fig2dev/dev/readpics.c:211 #3 0x4b2aa8 in genps_line …/…/fig2dev/fig2dev/dev/genps.c:1672 #4 0x412a7d in gendev_objects …/…/fig2dev/fig2dev/fig2dev.c:1008 #5 0x411481 in main …/…/fig2dev/fig2dev/fig2dev.c:485 #6 0x7f58f188b83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
previously allocated by thread T0 here: #0 0x7f58f2415662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662) #1 0x519f58 in open_stream …/…/fig2dev/fig2dev/dev/readpics.c:199 #2 0x4b2aa8 in genps_line …/…/fig2dev/fig2dev/dev/genps.c:1672 #3 0x412a7d in gendev_objects …/…/fig2dev/fig2dev/fig2dev.c:1008 #4 0x411481 in main …/…/fig2dev/fig2dev/fig2dev.c:485 #5 0x7f58f188b83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free ==28522==ABORTING