Headline
CVE-2019-19746: Xfig / Tickets / #57 Segmentation Fault in make_arrow() function
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
- Summary
- Files
- Reviews
- Support
- Tickets
- Discussion
- Git ▾
- fig2dev
- xfig
Menu ▾ ▴
Status: closed
Owner: nobody
Labels: None
Updated: 2019-12-11
Created: 2019-12-06
Private: No
Hi,
I found Segmentation fault in make_arrow at arrow.c:89
Please run following command to reproduce it,
Here’s log
ASAN:DEADLYSIGNAL ================================================================= ==9865==ERROR: AddressSanitizer: SEGV on unknown address 0x562ace7fe851 (pc 0x562b31599ec0 bp 0x7fff6b64fd10 sp 0x7fff6b64fce0 T0) ==9865==The signal is caused by a WRITE memory access. #0 0x562b31599ebf in make_arrow fig2dev-3.2.7b/fig2dev/arrow.c:89 #1 0x562b315b4125 in read_arcobject fig2dev-3.2.7b/fig2dev/read.c:594 #2 0x562b315b242c in read_objects fig2dev-3.2.7b/fig2dev/read.c:422 #3 0x562b315b11d3 in readfp_fig fig2dev-3.2.7b/fig2dev/read.c:172 #4 0x562b315b10a9 in read_fig fig2dev-3.2.7b/fig2dev/read.c:142 #5 0x562b315a8ef3 in main fig2dev-3.2.7b/fig2dev/fig2dev.c:422 #6 0x7fa7dfbb6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #7 0x562b31599979 in _start (fig2dev+0x6e979)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV fig2dev-3.2.7b/fig2dev/arrow.c:89 in make_arrow ==9865==ABORTING
fig2dev Version 3.2.7b
1 Attachments
Discussion
Log in to post a comment.