Headline
CVE-2020-21531: Xfig / Tickets / #63 global-buffer-overflow in conv_pattern_index() function
fig2dev 3.2.7b contains a global buffer overflow in the conv_pattern_index function in gencgm.c.
- Summary
- Files
- Reviews
- Support
- Tickets
- Discussion
- Git ▾
- fig2dev
- xfig
Menu ▾ ▴
Status: closed
Owner: nobody
Labels: None
Updated: 2020-12-21
Created: 2019-12-12
Private: No
Hi
I found a global-buffer-overflow in conv_pattern_index() at gencgm.c:533
Please run following command to reproduce it,
Here’s log
An open polygon at line 31 - close it. ================================================================= ==27666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55d8bbafa358 at pc 0x55d8bb7759da bp 0x7ffd22f17220 sp 0x7ffd22f17210 READ of size 4 at 0x55d8bbafa358 thread T0 #0 0x55d8bb7759d9 in conv_pattern_index fig2dev-3.2.7b/fig2dev/dev/gencgm.c:533 #1 0x55d8bb775a20 in hatchindex fig2dev-3.2.7b/fig2dev/dev/gencgm.c:543 #2 0x55d8bb776d1d in shape fig2dev-3.2.7b/fig2dev/dev/gencgm.c:638 #3 0x55d8bb77cbc4 in gencgm_line fig2dev-3.2.7b/fig2dev/dev/gencgm.c:1044 #4 0x55d8bb75aa3f in gendev_objects fig2dev-3.2.7b/fig2dev/fig2dev.c:1003 #5 0x55d8bb7592bf in main fig2dev-3.2.7b/fig2dev/fig2dev.c:480 #6 0x7fe59b3a7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #7 0x55d8bb749979 in _start (fig2dev-3.2.7b+0x6e979)
0x55d8bbafa358 is located 0 bytes to the right of global variable ‘map_pattern’ defined in ‘gencgm.c:138:5’ (0x55d8bbafa300) of size 88 0x55d8bbafa358 is located 40 bytes to the left of global variable ‘oldfillcolor’ defined in ‘gencgm.c:490:12’ (0x55d8bbafa380) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow fig2dev-3.2.7b/fig2dev/dev/gencgm.c:533 in conv_pattern_index Shadow bytes around the buggy address: 0x0abb97757410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0abb97757420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0abb97757430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0abb97757440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0abb97757450: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 =>0x0abb97757460: 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 0x0abb97757470: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0abb97757480: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0abb97757490: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0abb977574a0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0abb977574b0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27666==ABORTING
fig2dev Version 3.2.7b
I also tested this in git Commit [3065ab] and can reproduce it.
1 Attachments
Related
Commit: [3065ab]
Discussion
Log in to post a comment.
Related news
Ubuntu Security Notice 5864-1 - Frederic Cambus discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.