*** This bug is a security vulnerability *** Public security bug reported:
Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/116/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make 3.run fig2dev $ ./fig2dev -L box fig2dev_box_crash asan info Invalid color definition at line 11: 0#U75 0 6750 #1 -1 4 -1 -1 0.000 0 0 1 0 -1 0 0,5, setting to black (#00000). Invalid color definition at line 12: 0 i, setting to black (#00000). ================================================================= ==2147685==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5583735f1b08 at pc 0x7f195e0bc715 bp 0x7ffd510f0020 sp 0x7ffd510ef7b0 WRITE of size 14 at 0x5583735f1b08 thread T0 #0 0x7f195e0bc714 in vsprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) #1 0x7f195e0bcbce in sprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9ebce) #2 0x558373381445 in read_objects /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/read.c:505 #3 0x558373381445 in readfp_fig /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/read.c:152 #4 0x5583733824c3 in read_fig /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/read.c:124 #5 0x55837334b320 in main /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/fig2dev.c:424 #6 0x7f195dce80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #7 0x55837334d26d in _start (/home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/fig2dev+0x7026d) 0x5583735f1b08 is located 56 bytes to the left of global variable 'support_i18n' defined in 'fig2dev.c:83:6' (0x5583735f1b40) of size 1 'support_i18n' is ascii string '' 0x5583735f1b08 is located 0 bytes to the right of global variable 'gif_transparent' defined in 'fig2dev.c:85:6' (0x5583735f1b00) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) in vsprintf Shadow bytes around the buggy address: 0x0ab0ee6b6310: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6320: 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6330: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6340: 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6350: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 =>0x0ab0ee6b6360: 00[f9]f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6370: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6380: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6390: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b63a0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b63b0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2147685==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Status: New ** Tags: security ** Attachment added: "fig2dev_box_crash" https://bugs.launchpad.net/bugs/1926677/+attachment/5493454/+files/fig2dev_box_crash ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926677 Title: global-buffer-overflow of fix2dev of fig2dev/read.c in function read_objects To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926677/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
