Headline
CVE-2020-21682: Xfig / Tickets / #72 global-buffer-overflow in set_fill at genge.c:446
A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.
- Summary
- Files
- Reviews
- Support
- Tickets
- Discussion
- Git ▾
- fig2dev
- xfig
Menu ▾ ▴
Status: closed
Owner: nobody
Labels: None
Updated: 2020-12-21
Created: 2019-12-28
Private: No
Hi,
I found a global-buffer-overflow in set_fill at genge.c:446
Please run following command to reproduce it,
ASAN LOG
Invalid color number -16 at line 33, using default color. ================================================================= ==3081==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000009b325c at pc 0x0000006953f0 bp 0x7ffd7c3cad60 sp 0x7ffd7c3cad58 READ of size 4 at 0x0000009b325c thread T0 #0 0x6953ef in set_fill /home/tmp/mcj-fig2dev/fig2dev/dev/genge.c:446:27 #1 0x6953ef in genge_line /home/tmp/mcj-fig2dev/fig2dev/dev/genge.c:143 #2 0x54b8bb in gendev_objects /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:1003:6 #3 0x54b8bb in main /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:480 #4 0x7fbb4e7bcb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #5 0x41b3a9 in _start (/home/tmp/fig2dev+0x41b3a9)
0x0000009b325c is located 4 bytes to the left of global variable ‘GE_COLORS’ defined in ‘genge.c:55:12’ (0x9b3260) of size 128 0x0000009b325c is located 53 bytes to the right of global variable ‘<string literal>’ defined in ‘genge.c:437:14’ (0x9b3220) of size 7 ‘<string literal>’ is ascii string 'c%02d ' SUMMARY: AddressSanitizer: global-buffer-overflow /home/tmp/mcj-fig2dev/fig2dev/dev/genge.c:446:27 in set_fill Shadow bytes around the buggy address: 0x00008012e5f0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 f9 f9 0x00008012e600: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 03 0x00008012e610: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 0x00008012e620: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 00 06 f9 f9 0x00008012e630: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 03 f9 f9 =>0x00008012e640: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9[f9]00 00 00 00 0x00008012e650: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 0x00008012e660: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x00008012e670: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x00008012e680: 07 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 0x00008012e690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3081==ABORTING
fig2dev Version 3.2.7b
I also tested this in git Commit [3065ab] and can reproduce it.
1 Attachments
Related
Commit: [3065ab]
Discussion
Log in to post a comment.