Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-21678: Xfig / Tickets / #71 global-buffer-overflow in genmp_writefontmacro_latex at genmp.c:1274

A global buffer overflow in the genmp_writefontmacro_latex component in genmp.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into mp format.

CVE
Open in Source
#mac#dos#git#buffer_overflow
  • Summary
  • Files
  • Reviews
  • Support
  • Tickets
  • Discussion
  • Git ▾
    • fig2dev
    • xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,
I found a global-buffer-overflow in genmp_writefontmacro_latex at genmp.c:1274
Please run following command to reproduce it,

Here’s log

==17197==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000c7ffd8 at pc 0x00000070bc35 bp 0x7ffcf7797cd0 sp 0x7ffcf7797cc8 READ of size 8 at 0x000000c7ffd8 thread T0 #0 0x70bc34 in genmp_writefontmacro_latex /home/tmp/mcj-fig2dev/fig2dev/dev/genmp.c:1274:3 #1 0x70bc34 in genmp_text /home/tmp/mcj-fig2dev/fig2dev/dev/genmp.c:1074 #2 0x54b8bb in gendev_objects /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:1003:6 #3 0x54b8bb in main /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:480 #4 0x7fab84f5db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #5 0x41b3a9 in _start (/home/tmp/fig2dev+0x41b3a9)

0x000000c7ffd8 is located 8 bytes to the left of global variable ‘texfontfamily’ defined in ‘texfonts.c:27:13’ (0xc7ffe0) of size 48 SUMMARY: AddressSanitizer: global-buffer-overflow /home/tmp/mcj-fig2dev/fig2dev/dev/genmp.c:1274:3 in genmp_writefontmacro_latex Shadow bytes around the buggy address: 0x000080187fa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080187fb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080187fc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080187fd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080187fe0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 =>0x000080187ff0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]00 00 00 00 0x000080188000: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 0x000080188010: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 0x000080188020: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 0x000080188030: 00 04 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080188040: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17197==ABORTING

fig2dev Version 3.2.7b
I also tested this in git Commit [3065ab] and can reproduce it.

1 Attachments

Related

Commit: [3065ab]

Discussion

Log in to post a comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE