*** This bug is a security vulnerability *** Public security bug reported:
Hi I found an overflow error. issues: https://sourceforge.net/p/mcj/tickets/113/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make 3.run fig2dev $ ./fig2dev -L svg overflow_fig2dev_crash asan info: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!-- Creator: fig2dev Version 3.2.8a --> <!-- CreationDate: 2021-04-17 04:37:54 --> <!-- Magnification: 1 --> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="900pt" height="3600pt" viewBox="163 0 25 100"> <g fill="none"> <!-- Text --> ================================================================= ==3221214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000072 at pc 0x0000005888ef bp 0x7ffcc0226110 sp 0x7ffcc0226108 READ of size 1 at 0x602000000072 thread T0 #0 0x5888ee in gensvg_text /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1006:42 #1 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #2 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #3 0x7f03fc8940b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) 0x602000000072 is located 0 bytes to the right of 2-byte region [0x602000000070,0x602000000072) allocated by thread T0 here: #0 0x494fd2 in calloc (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x494fd2) #1 0x4d5951 in read_textobject /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read1_3.c:505:24 #2 0x4d2b8b in read_1_3_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read1_3.c:126:16 #3 0x4d666f in readfp_fig /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read.c:154:12 #4 0x4d6312 in read_fig /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read.c:124:10 #5 0x4d04cb in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:424:12 #6 0x7f03fc8940b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1006:42 in gensvg_text Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa[02]fa 0x0c047fff8010: fa fa 00 07 fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3221214==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Status: New ** Tags: security ** Attachment added: "overflow_fig2dev_crash" https://bugs.launchpad.net/bugs/1926674/+attachment/5493452/+files/overflow_fig2dev_crash ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926674 Title: heap-buffer-overflow of fig2dev of gensvg.c in function gensvg_text To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926674/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs