Headline
CVE-2019-19797: Xfig / Tickets / #67 Out-of-bounds write in the read_colordef() function
read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.
- Summary
- Files
- Reviews
- Support
- Tickets
- Discussion
- Git ▾
- fig2dev
- xfig
Menu ▾ ▴
Status: closed
Owner: nobody
Labels: None
Updated: 2021-04-17
Created: 2019-12-13
Private: No
Hi,
While fuzzing fig2dev 3.2.7b with Honggfuzz, I found an out-of-bounds write in the read_colordef() function, in read.c.
Attaching a reproducer, issue can be reproduced by running:
==1224== Memcheck, a memory error detector ==1224== Copyright © 2002-2017, and GNU GPL’d, by Julian Seward et al. ==1224== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1224== Command: ./fig2dev -Lbox test03 ==1224== Invalid color definition: 0 1200 600 1200 600 600 :\ÅâÔÈL^äö T#0 600 0 120, setting to black (#00000). ==1224== Invalid write of size 4 ==1224== at 0x123A6C: read_colordef (read.c:488) ==1224== by 0x123A6C: read_objects (read.c:359) ==1224== by 0x123A6C: readfp_fig (read.c:172) ==1224== by 0x118F37: main (fig2dev.c:422) ==1224== Address 0x607cd5a0 is not stack’d, malloc’d or (recently) free’d ==1224== ==1224== ==1224== Process terminating with default action of signal 11 (SIGSEGV) ==1224== Access not within mapped region at address 0x607CD5A0 ==1224== at 0x123A6C: read_colordef (read.c:488) ==1224== by 0x123A6C: read_objects (read.c:359) ==1224== by 0x123A6C: readfp_fig (read.c:172) ==1224== by 0x118F37: main (fig2dev.c:422) ==1224== If you believe this happened as a result of a stack ==1224== overflow in your program’s main thread (unlikely but ==1224== possible), you can try to increase the size of the ==1224== main thread stack using the --main-stacksize= flag. ==1224== The main thread stack size used in this run was 8388608. ==1224== ==1224== HEAP SUMMARY: ==1224== in use at exit: 488 bytes in 1 blocks ==1224== total heap usage: 19 allocs, 18 frees, 8,632 bytes allocated ==1224== ==1224== LEAK SUMMARY: ==1224== definitely lost: 0 bytes in 0 blocks ==1224== indirectly lost: 0 bytes in 0 blocks ==1224== possibly lost: 0 bytes in 0 blocks ==1224== still reachable: 488 bytes in 1 blocks ==1224== suppressed: 0 bytes in 0 blocks ==1224== Rerun with --leak-check=full to see details of leaked memory ==1224== ==1224== For lists of detected and suppressed errors, rerun with: -s ==1224== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
1 Attachments
Discussion
Log in to post a comment.