Headline
CVE-2020-21532: Xfig / Tickets / #64 global-buffer-overflow in setfigfont() function
fig2dev 3.2.7b contains a global buffer overflow in the setfigfont function in genepic.c.
- Summary
- Files
- Reviews
- Support
- Tickets
- Discussion
- Git ▾
- fig2dev
- xfig
Menu ▾ ▴
Status: closed
Owner: nobody
Labels: None
Updated: 2020-12-21
Created: 2019-12-12
Private: No
Hi
I found a global-buffer-overflow in setfigfont() function at genepic.c:1239
Please run following command to reproduce it,
Here’s log
================================================================= ==16081==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55aa8f20b5f8 at pc 0x55aa8ee6a136 bp 0x7ffd722c0050 sp 0x7ffd722c0040 READ of size 8 at 0x55aa8f20b5f8 thread T0 #0 0x55aa8ee6a135 in setfigfont fig2dev-3.2.7b/fig2dev/dev/genepic.c:1239 #1 0x55aa8ee6a9f5 in genepic_text fig2dev-3.2.7b/fig2dev/dev/genepic.c:1312 #2 0x55aa8ee1ea3f in gendev_objects fig2dev-3.2.7b/fig2dev/fig2dev.c:1003 #3 0x55aa8ee1d2bf in main fig2dev-3.2.7b/fig2dev/fig2dev.c:480 #4 0x7f1a35038b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #5 0x55aa8ee0d979 in _start (fig2dev-3.2.7b+0x6e979)
0x55aa8f20b5f8 is located 40 bytes to the right of global variable ‘texfontseries’ defined in ‘texfonts.c:36:13’ (0x55aa8f20b5a0) of size 48 0x55aa8f20b5f8 is located 8 bytes to the left of global variable ‘texfontshape’ defined in ‘texfonts.c:45:13’ (0x55aa8f20b600) of size 48 SUMMARY: AddressSanitizer: global-buffer-overflow fig2dev-3.2.7b/fig2dev/dev/genepic.c:1239 in setfigfont Shadow bytes around the buggy address: 0x0ab5d1e39660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab5d1e39670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab5d1e39680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab5d1e39690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab5d1e396a0: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 =>0x0ab5d1e396b0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9[f9] 0x0ab5d1e396c0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0ab5d1e396d0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ab5d1e396e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab5d1e396f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab5d1e39700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==16081==ABORTING
fig2dev Version 3.2.7b
I also tested this in git Commit [3065ab] and can reproduce it.
1 Attachments
Related
Commit: [3065ab]
Discussion
Log in to post a comment.
Related news
Ubuntu Security Notice 5864-1 - Frederic Cambus discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.