*** This bug is a security vulnerability *** Public security bug reported:
Hi I found an overflow error. issues: https://sourceforge.net/p/mcj/tickets/115/ commit: https://sourceforge.net/p/mcj/fig2dev/ci/8c0917994e49110004a6632d0a66ea19501ad39d/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make 3.run fig2dev $ ./fig2dev -L svg fig2dev_crash_arrow_path asan info <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!-- Creator: fig2dev Version 3.2.8a --> <!-- CreationDate: 2021-04-17 04:51:21 --> <!-- Magnification: 1 --> <svg xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink"; width="205pt" height="117pt" viewBox="-1795 -376 3416 1946"> <g fill="none"> <!-- Line --> <rect x="-75" y="-375" width="1200" height="1875" fill="#bfbfbf"/> <!-- Arc --> <!-- 9 --> <path d="M 331,272 L 61,481 A 341 341 0 0 0 300 612 z" stroke="#000000" stroke-width="8px" stroke-dasharray="30 9 10 9 10 9"/> <!-- Arc --> <!-- 11 --> <path d="M 711,620 L 513,420 A 281 281 0 0 1 702 339 z" fill="#4c4c4c" stroke="#ffffff" stroke-width="8px"/> <!-- Arc --> <!-- 12 --> <defs> <path d="M 1063,300 L 793,509 A 341 341 0 0 0 1032 640 z" id="p0"/> <pattern id="tile0" patternUnits="userSpaceOnUse" x="0" y="0" width="134" height="134"> <g stroke-width="7.5" stroke="#000000" fill="none"> <path d="M164,-30 a67,67 0 0,1 -134,0 a67,67 0 0,1 -67,67 a67,67 0 0,0 134,0 a67,67 0 0,0 67,67 a67,67 0 0,1 -134,0 a67,67 0 0,1 -67,67"/> </g> </pattern> </defs> <use xlink:href="#p0" fill="#ffffff"/> <use xlink:href="#p0" fill="url(#tile0)" stroke="#000000" stroke-width="8px"/> <!-- Arc --> <!-- 13 --> <defs> <clipPath id="cp0"> <path clip-rule="evenodd" d="M -1795,-376 H 1621 V 1570 H -1795 z M 116,893 209,902 123,937 233,906 231,892z M 65,600 64,601 64,601 63,602 63,603 63,603 63,604 63,605 63,606 63,606 64,607 64,607 65,608 65,608 66,608 67,609 67,609 68,609 69,608 70,608 80,605 74,593z"/> </clipPath> </defs> <path d="M 75,600 A 168 168 0 0 0 225 900" clip-path="url(#cp0)" stroke="#000000" stroke-width="8px"/> <!-- Forward arrow to point 225,900 --> <polyline points=" 116,893 209,902 123,937" stroke="#000000" stroke-width="8px" stroke-miterlimit="8"/> <!-- Backward arrow to point 75,600 --> <polygon points=" 70,608 70,608 71,607 71,607 71,606 72,605 72,605 72,604 72,603 72,602 71,602 71,601 70,601 70,600 69,600 68,600 68,600 67,600 66,600 65,600 65,600 64,601 64,601 63,602 63,603 63,603 63,604 63,605 63,606 63,606 64,607 64,607 65,608 65,608 66,608 67,609 67,609 68,609 69,608 70,608" stroke="#000000" stroke-width="8px" stroke-miterlimit="8"/> <!-- Arc --> <!-- 14 --> <defs> <clipPath id="cp1"> <path clip-rule="evenodd" d="M -1795,-376 H 1621 V 1570 H -1795 z M 334,682 241,673 327,638 217,669 219,683z M 444,969 448,963 452,957 454,950 455,943 455,936 453,929 451,922 447,915 443,910 438,905 432,901 425,898 418,896 411,895 403,896 396,897 390,900 383,904 378,908 368,972 378,982z"/> </clipPath> <path d="M 375,975 A 168 168 0 0 0 225 675" id="p1"/> </defs> <use xlink:href="#p1" fill="#000000"/> <use xlink:href="#p1" clip-path="url(#cp1)" stroke="#ffffff" stroke-width="8px"/> <!-- Forward arrow to point 225,675 --> <polyline points=" 334,682 241,673 327,638" stroke="#ffffff" stroke-width="8px" stroke-miterlimit="8"/> <!-- Backward arrow to point 375,975 --> <polygon points=" 378,908 373,914 370,920 367,927 365,934 365,941 366,948 367,955 370,962 374,968 379,973 385,978 391,981 398,984 405,985 413,985 420,984 427,982 433,979 439,974 444,969 448,963 452,957 454,950 455,943 455,936 453,929 451,922 447,915 443,910 438,905 432,901 425,898 418,896 411,895 403,896 396,897 390,900 383,904 378,908" stroke="#ffffff" stroke-width="8px" stroke-miterlimit="8"/> <!-- Arc --> <!-- 15 --> <defs> <clipPath id="cp2"> <path clip-rule="evenodd" d="M -1795,-376 H 1621 V 1570 H -1795 z M 334,682 241,673 327,638 217,669 219,683z M -1707,957 -1656,1026 -1594,1086 -1524,1135 -1446,1173 -1364,1197 -1279,1208 -1193,1205 -1109,1188 -1028,1158 -953,1115 -886,1061 -829,997 -783,925 -749,846 -728,763 -720,677 -727,592 -747,508 -780,429 -1497,191 -1509,197z"/> </clipPath> <path d="M -1500,200 A 1563 1563 0 1 0 50 -1" id="p2"/> </defs> <use xlink:href="#p2" fill="#4c4c4c"/> <use xlink:href="#p2" clip-path="url(#cp2)" stroke="#ffffff" stroke-width="8px"/> <!-- Forward arrow to point 50,-1 --> ================================================================= ==3290613==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f71218 at pc 0x000000589130 bp 0x7ffe395b8990 sp 0x7ffe395b8988 READ of size 4 at 0x000000f71218 thread T0 #0 0x58912f in arrow_path /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1082:40 #1 0x5856af in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1174:2 #2 0x586e30 in gensvg_arc /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c #3 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #4 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #5 0x7f25970a30b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #6 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) 0x000000f71218 is located 8 bytes to the left of global variable 'fpoints' defined in 'gensvg.c:1130:18' (0xf71220) of size 400 0x000000f71218 is located 52 bytes to the right of global variable 'bnclippoints' defined in 'gensvg.c:1129:41' (0xf711e0) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1082:40 in arrow_path Shadow bytes around the buggy address: 0x0000801e61f0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0000801e6200: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000801e6210: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000801e6220: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000801e6230: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 =>0x0000801e6240: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00 0x0000801e6250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801e6260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801e6270: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000801e6280: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801e6290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3290613==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Status: New ** Tags: security ** Attachment added: "fig2dev_crash_arrow_path" https://bugs.launchpad.net/bugs/1926676/+attachment/5493453/+files/fig2dev_crash_arrow_path ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926676 Title: global-buffer-overflow of fig2dev of gensvg.c in function arrow_path To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926676/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
