[Bug 1926674] [NEW] heap-buffer-overflow of fig2dev of gensvg.c in function gensvg_text

Thu, 29 Apr 2021 18:25:49 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

Hi
I found an overflow error.

issues: https://sourceforge.net/p/mcj/tickets/113/
commit:https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/

System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
fig2dev Version 3.2.8a

Verification steps:
1.Get the source code of fig2dev
2.Compile the fig2dev

$ cd fig2dev-3.2.8a
$ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" 
CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address"
$ make 

3.run fig2dev
$ ./fig2dev -L svg overflow_fig2dev_crash

asan info:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Creator: fig2dev Version 3.2.8a -->
<!-- CreationDate: 2021-04-17 04:37:54 -->
<!-- Magnification: 1 -->
<svg    xmlns="http://www.w3.org/2000/svg";
    xmlns:xlink="http://www.w3.org/1999/xlink";
    width="900pt" height="3600pt"
    viewBox="163 0 25 100">
<g fill="none">
<!-- Text -->
=================================================================
==3221214==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000000072 at pc 0x0000005888ef bp 0x7ffcc0226110 sp 0x7ffcc0226108
READ of size 1 at 0x602000000072 thread T0
    #0 0x5888ee in gensvg_text 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1006:42
    #1 0x4d0847 in gendev_objects 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6
    #2 0x4d0847 in main 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11
    #3 0x7f03fc8940b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c71d in _start 
(/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d)

0x602000000072 is located 0 bytes to the right of 2-byte region 
[0x602000000070,0x602000000072)
allocated by thread T0 here:
    #0 0x494fd2 in calloc 
(/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x494fd2)
    #1 0x4d5951 in read_textobject 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read1_3.c:505:24
    #2 0x4d2b8b in read_1_3_objects 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read1_3.c:126:16
    #3 0x4d666f in readfp_fig 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read.c:154:12
    #4 0x4d6312 in read_fig 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read.c:124:10
    #5 0x4d04cb in main 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:424:12
    #6 0x7f03fc8940b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1006:42 in gensvg_text
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa[02]fa
  0x0c047fff8010: fa fa 00 07 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3221214==ABORTING

** Affects: xfig (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: security

** Attachment added: "overflow_fig2dev_crash"
   
https://bugs.launchpad.net/bugs/1926674/+attachment/5493452/+files/overflow_fig2dev_crash

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1926674

Title:
  heap-buffer-overflow of  fig2dev of  gensvg.c in function gensvg_text

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926674/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to