A heap-based buffer overflow vulnerability exists in the XML Decompression EnumerationUncompressor::UncompressItem functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the XML Decompression EnumerationUncompressor::UncompressItem functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

AT&T Labs Xmill 0.7  
Schneider Electric EcoStruxure Control Expert 15

**Product URLs**

None

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods.

While this software is old, released in 1999, it can be found in modern software suites, such as Schneider Electric’s EcoStruxure Control Expert.

During the Uncompress functionality of Xdemill, container blocks are decompressed independantly. Within EnumerationUncompressor::UncompressItem a length provided by the compressed file is used as trusted input for a memcpy.

    void UncompressItem(UncompressContainer *cont,char *dataptr,XMLOutput *output)
       // An item is decompressed by looking up the dictionary
    {
       unsigned idx=cont->LoadUInt32();
       EnumDictItem *item=((EnumUncompressState *)dataptr)->itemarray+idx;
     
       output->characters((char *)item->dataptr,item->len);
    }
    

Once the length is passed the XMLOutput::characters no additional checks are made to check the length of the input versus the provided length, and is passed to Output::StoreData.

    void OUTPUT_STATIC characters(char *str,int len)
    {
       switch(x.status)
       {
       case XMLOUTPUT_OPENATTRIB:
          StoreData(str,len);
          return;
     
       case XMLOUTPUT_OPENLABEL:
          StoreChar('>');
     
       case XMLOUTPUT_AFTERDATA:
       case XMLOUTPUT_AFTERENDLABEL:
       case XMLOUTPUT_INIT:
          StoreData(str,len);
       }
       x.status=XMLOUTPUT_AFTERDATA;
    }
    

Output::StoreData passes the function input directly into memcpy (mymemcpy is a #define of memcpy) which allows a malicious user to overflow the provided heap-based buffer which can result in remote code execution.

    void OUTPUT_STATIC StoreData(char *ptr,int len)
       // Stores the data at position 'ptr' of length 'len'
    {
       while(bufsize-curpos<len)
       {
          mymemcpy(buf+curpos,ptr,bufsize-curpos);
          len-=bufsize-curpos;
          ptr+=bufsize-curpos;
          curpos=bufsize;
          Flush();
       }
       mymemcpy(buf+curpos,ptr,len);
       curpos+=len;
    } 
    

**Crash Information**

    ASAN:DEADLYSIGNAL
    =================================================================
    ==32355==ERROR: AddressSanitizer: SEGV on unknown address 0x6369656c (pc 0xb7caecc0 bp 0xbf9cf488 sp 0xbf9cf028 T0)
        #0 0xb7caecbf  /build/glibc-ViVLyQ/glibc-2.23/string/../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:136
        #1 0x80f37da in __asan_memcpy (/home/fuzz/Desktop/xmill/unix/xdemill+0x80f37da)
        #2 0x8188a4b in Output::StoreData(char*, int) /home/fuzz/Desktop/xmill/./src/Output.hpp:198:10
        #3 0x8185fe1 in XMLOutput::characters(char*, int) /home/fuzz/Desktop/xmill/./src/XMLOutput.hpp:241:10
        #4 0x81a4e8b in EnumerationUncompressor::UncompressItem(UncompressContainer*, char*, XMLOutput*) /home/fuzz/Desktop/xmill/./src/EnumCompress.cpp:361:7
        #5 0x819fb6a in DivSepUncompressor::UncompressItem(UncompressContainer*, char*, XMLOutput*) /home/fuzz/Desktop/xmill/./src/DivCompress.cpp:453:10
        #6 0x819f022 in OrSepUncompressor::UncompressItem(UncompressContainer*, char*, XMLOutput*) /home/fuzz/Desktop/xmill/./src/OrCompress.cpp:330:7
        #7 0x81870ad in UncompressContainerBlock::UncompressText(XMLOutput*) /home/fuzz/Desktop/xmill/./src/UnCompCont.hpp:180:7
        #8 0x81840f7 in DecodeTreeBlock(UncompressContainer*, UncompressContainer*, UncompressContainer*, XMLOutput*) /home/fuzz/Desktop/xmill/./src/Decode.cpp:82:10
        #9 0x8197226 in Uncompress(char*, char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:854:7
        #10 0x8196c37 in HandleSingleFile(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:248:10
        #11 0x8197482 in HandleFileArg(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:382:4
        #12 0x81976f5 in main /home/fuzz/Desktop/xmill/./src/Main.cpp:494:7
        #13 0xb7b9f646 in __libc_start_main /build/glibc-ViVLyQ/glibc-2.23/csu/../csu/libc-start.c:291
        #14 0x80664d3 in _start (/home/fuzz/Desktop/xmill/unix/xdemill+0x80664d3)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /build/glibc-ViVLyQ/glibc-2.23/string/../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:136 
    ==32355==ABORTING    
    

**Timeline**

2021-04-30 - Vendor Disclosure  
2021-08-10 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2021-21829: TALOS-2021-1292 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

AT&T Labs Xmill 0.7  
Schneider Electric EcoStruxure Control Expert 15

**Product URLs**

None

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods.

While this software is old, released in 1999, it can be found in modern software suites, such as Schneider Electric’s EcoStruxure Control Expert.

Within LabelDict::Load within UncompressBlockHeader a call to MemStreamer::WordAlign is not accounted for in the size of the buffer that is allocated. Since MemStreamer::WordAlign happens in a loop and MemStreamer::GetByteBlock only allocates new memory if it is necessary. This function does not increment the total size used of the mainmem block after copying data into it, thus the MemStreamer::GetByteBlock will not account for the data copied in, this can manifest in large out of bounds heap writes, which can result in remote code execution.

       void Load(SmallBlockUncompressor *uncompress)
          // Loads the next block of labels and appends the block to the
          // already existing blocks in the dictionary
       {
          UncompressLabelDictItem *dictitemptr;
          char                    isattrib;
          unsigned                dictlabelnum;
    
          // Let's get the number of labels first
          unsigned mylabelnum=uncompress->LoadUInt32();
          ...
    
    //******
    
          lastlabeldict->labelnum=mylabelnum;
          labelnum+=mylabelnum;
    
          dictlabelnum=mylabelnum;
    
          dictitemptr=lastlabeldict->GetArrayPtr();
    
          // We copy the actual labels now
          // Each label is represented by the length and the attribute-flag
          // Then, the actual name follows
          while(dictlabelnum--)
          {
             dictitemptr->len=(unsigned short)uncompress->LoadSInt32(&isattrib);
             dictitemptr->isattrib=isattrib;
    
             dictitemptr->strptr=mainmem.GetByteBlock(dictitemptr->len);
             mainmem.WordAlign();
    
             mymemcpy(dictitemptr->strptr,
                      uncompress->LoadData(dictitemptr->len),
                      dictitemptr->len);
    
             dictitemptr++;
          }
       }    
    

MemStreamer::WordAlign is used to align memory to a 4 byte boundary, but the alignment happens after the check to see if the block is large enough to hold the data.

       void WordAlign()
          // Allocated 1 to 3 bytes to align the current memory pointer
          // to an address divisible by 4.
       {
          if(curblock==NULL)
             return;
    
          int addsize=3-((curblock->cursize+3)&3);
          if(addsize>0)
          {
             curblock->cursize+=addsize;
             overallsize+=addsize;
          }
       }
    

MemStreamer::GetByteBlock only allocates more memory if the current block cannot hold the data, this is tracked in a global MemStreamer structure.

       char *GetByteBlock(unsigned len)
          // The main function for allocated more memory of size 'len'.
          // The function checks the current block and if there is not enough space,
          // the function 'AllocateNewBlock' is called.
       {
          if(len+sizeof(MemStreamBlock)-1>LARGEBLOCK_SIZE) // Is the requested size larger than the biggest possible block?
          {
             char str[100];
             sprintf(str,"Could not allocate %lu bytes (largest possible block size=%lu bytes) !",
                sizeof(MemStreamBlock)-1+len,
                LARGEBLOCK_SIZE);
             Error(str);
             Exit();
          }
    
          if(curblock==NULL)
             // We don't have a block yet ?
             firstblock=curblock=AllocateNewBlock();
    
          if(curblock->blocksize-curblock->cursize>=len)
             // Enough space in current block?
          {
             char *ptr=curblock->data+curblock->cursize;
             curblock->cursize+=len;
             overallsize+=len;
             return ptr;
          }
          else  // We add a new block at the end
          {
             do
             {
                curblock->next=AllocateNewBlock();
                curblock=curblock->next;
             }
             while(curblock->blocksize<len);  // If we don't have enough space,
                                              // we simply create a bigger one!
    
             curblock->cursize=len;
             overallsize+=len;
    
             return curblock->data;
          }
       }    
    

**Crash Information**

    =================================================================
    ==32767==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4674800 at pc 0x080f37f5 bp 0xbf8124e8 sp 0xbf8120c0
    WRITE of size 37 at 0xb4674800 thread T0
        #0 0x80f37f4 in __asan_memcpy (/home/fuzz/Desktop/xmill/unix/xdemill+0x80f37f4)
        #1 0x819ab49 in LabelDict::Load(SmallBlockUncompressor*) /home/fuzz/Desktop/xmill/./src/LabelDict.hpp:453:10
        #2 0x8197d05 in UncompressBlockHeader(Input*) /home/fuzz/Desktop/xmill/./src/Main.cpp:784:4
        #3 0x8197100 in Uncompress(char*, char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:840:10
        #4 0x8196c37 in HandleSingleFile(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:248:10
        #5 0x8197482 in HandleFileArg(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:382:4
        #6 0x81976f5 in main /home/fuzz/Desktop/xmill/./src/Main.cpp:494:7
        #7 0xb7b3b646 in __libc_start_main /build/glibc-ViVLyQ/glibc-2.23/csu/../csu/libc-start.c:291
        #8 0x80664d3 in _start (/home/fuzz/Desktop/xmill/unix/xdemill+0x80664d3)
    
    0xb4674800 is located 0 bytes to the right of 65536-byte region [0xb4664800,0xb4674800)
    allocated by thread T0 here:
        #0 0x810a814 in __interceptor_malloc (/home/fuzz/Desktop/xmill/unix/xdemill+0x810a814)
        #1 0x819d9c5 in AllocateBlockRecurs(unsigned char) /home/fuzz/Desktop/xmill/./src/MemMan.cpp:71:22
        #2 0x818bc9e in AllocateBlock(unsigned char) /home/fuzz/Desktop/xmill/./src/MemMan.hpp:68:11
        #3 0x818b8a7 in MemStreamer::AllocateNewBlock() /home/fuzz/Desktop/xmill/./src/MemStreamer.hpp:121:34
        #4 0x818b35c in MemStreamer::GetByteBlock(unsigned int) /home/fuzz/Desktop/xmill/./src/MemStreamer.hpp:222:28
        #5 0x819a99c in LabelDict::Load(SmallBlockUncompressor*) /home/fuzz/Desktop/xmill/./src/LabelDict.hpp:450:30
        #6 0x8197d05 in UncompressBlockHeader(Input*) /home/fuzz/Desktop/xmill/./src/Main.cpp:784:4
        #7 0x8197100 in Uncompress(char*, char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:840:10
        #8 0x8196c37 in HandleSingleFile(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:248:10
        #9 0x8197482 in HandleFileArg(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:382:4
        #10 0x81976f5 in main /home/fuzz/Desktop/xmill/./src/Main.cpp:494:7
        #11 0xb7b3b646 in __libc_start_main /build/glibc-ViVLyQ/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/Desktop/xmill/unix/xdemill+0x80f37f4) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x368ce8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x368ce8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x368ce8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x368ce8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x368ce8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x368ce900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x368ce910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x368ce920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x368ce930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x368ce940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x368ce950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ASAN:DEADLYSIGNAL
    =================================================================    
    

**Timeline**

2021-04-30 - Vendor Disclosure  
2021-08-10 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2021-21830: TALOS-2021-1293 || Cisco Talos Intelligence Group

NVIDIA Linux kernel distributions contain a vulnerability in nvmap, where writes may be allowed to read-only buffers, which may result in escalation of privileges, complete denial of service, unconstrained information disclosure, and serious data tampering of all processes on the system.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2021‑1106

NVIDIA Linux kernel distributions contain a vulnerability in nvmap, where writes may be allowed to read-only buffers, which may result in escalation of privileges, complete denial of service, unconstrained information disclosure, and serious data tampering of all processes on the system.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑1107

NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVMAP_IOC_WRITE* paths, where improper access controls may lead to code execution, complete denial of service, and seriously compromised integrity of all system components.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑1108

NVIDIA Linux kernel distributions contain a vulnerability in FuSa Capture (VI/ISP), where integer underflow due to lack of input validation may lead to complete denial of service, partial integrity, and serious confidentiality loss for all processes in the system.

7.3

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

CVE‑2021‑1109

NVIDIA camera firmware contains a multistep, timing-related vulnerability where an unauthorized modification by camera resources may result in loss of data integrity or denial of service across several streams.

7.2

AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H

CVE‑2021‑1110

NVIDIA Linux kernel distributions on Jetson Xavier contain a vulnerability in camera firmware where a user can change input data after validation, which may lead to complete denial of service and serious data corruption of all kernel components.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE‑2021‑1111

Bootloader contains a vulnerability in the NV3P server where any user with physical access through USB can trigger an incorrect bounds check, which may lead to buffer overflow, resulting in limited information disclosure, limited data integrity, and denial of service across all components.

6.7

AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

CVE‑2021‑1112

NVIDIA Linux kernel distributions contain a vulnerability in nvmap, where a null pointer dereference may lead to complete denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE‑2021‑1113

NVIDIA camera firmware contains a difficult-to-exploit vulnerability, where a highly privileged attacker can cause unauthorized modification to camera resources, which may result in complete denial of service and partial loss of data integrity for all clients.

4.7

AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

CVE‑2021‑1114

NVIDIA Linux kernel distributions contain a vulnerability in the kernel crypto node, where use after free may lead to complete denial of service.

4.4

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

CVE‑2021‑1110

Jetson AGX Xavier series, Jetson Xavier NX

Jetson Linux

All 32.x versions prior to 32.6.1

32.6.1

CVE‑2021‑1106 CVE‑2021‑1107 CVE‑2021‑1108 CVE‑2021‑1109 CVE‑2021‑1112 CVE‑2021‑1113

Jetson AGX Xavier series, Jetson Xavier NX, Jetson TX2 series, Jetson TX2 NX, Jetson Nano, Jetson Nano 2GB, Jetson TX1

Jetson Linux

All 32.x versions prior to 32.6.1

32.6.1

CVE‑2021‑1111 CVE‑2021‑1114

Jetson AGX Xavier series, Jetson Xavier NX, Jetson TX2 series, Jetson TX2 NX

Jetson Linux

All 32.x versions prior to 32.6.1

32.6.1

**Notes**

*   Earlier software branch releases that support this product are also affected. If you are using an earlier branch release, upgrade to the latest branch release.

**Mitigations**

See Security Updates for the version to install.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

Revision History   

**Revision**

**Date**

**Description**

3.0

January 21, 2022

Updated the description, base score, and CVSS vector for CVE‑2021‑1113

2.0

January 18, 2022

Updated the CVSS score and vector for CVE‑2021‑1106, CVE‑2021‑1107, and CVE‑2021‑1108

1.0

August 4, 2021

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2021-1106: Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX), and Jetson Nano (including Jetson Nano 2GB)- August 2021

A stack-based buffer overflow in the genpstrx_text() component in genpstricks.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pstricks format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a stack-buffer-overflow in genpstrx\_text at genpstricks.c:2732  
Please run following command to reproduce it,

ASAN LOG

\==48149\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fffcd1c7b00 at pc 0x00000044823a bp 0x7fffcd1b7880 sp 0x7fffcd1b7030
WRITE of size 35 at 0x7fffcd1c7b00 thread T0
    #0 0x448239 in vsprintf (/home/tmp/fig2dev+0x448239)
    #1 0x448566 in \_\_interceptor\_sprintf (/home/tmp/fig2dev+0x448566)
    #2 0x81943b in genpstrx\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:2732:5
    #3 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #4 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #5 0x7fb45a113b96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #6 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

Address 0x7fffcd1c7b00 is located in stack of thread T0 at offset 65856 in frame
    #0 0x817a5f in genpstrx\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:2714

  This frame has 2 object(s):
    \[32, 65568) 'formatted\_text' (line 2716)
    \[65824, 65856) 'angle' (line 2717) <== Memory access at offset 65856 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow (/home/tmp/fig2dev+0x448239) in vsprintf
Shadow bytes around the buggy address:
  0x100079a30f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f30: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100079a30f40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100079a30f50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
\=>0x100079a30f60:\[f3\]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f70: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 f3 f3
  0x100079a30f80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==48149\==ABORTING

fig2dev Version 3.2.7b

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21676: Xfig / Tickets / #76 stack-buffer-overflow in genpstrx_text at genpstricks.c:2732

A stack-based buffer overflow in the genptk_text component in genptk.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ptk format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a stack-buffer-overflow in genptk\_text at genptk.c:618

fig2dev Version 3.2.7b  
commit 93795dd396730c80e63767dede7777f4cb7dc383

Please run following command to reproduce it,

ASAN LOG

\==45827\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fff76457e80 at pc 0x000000841291 bp 0x7fff76457650 sp 0x7fff76457648
WRITE of size 1 at 0x7fff76457e80 thread T0
    #0 0x841290 in genptk\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genptk.c:618:13
    #1 0x54ba7b in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1012:6
    #2 0x54ba7b in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:489
    #3 0x7f8360406b96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #4 0x41b429 in \_start (/home/tmp/fig2dev+0x41b429)

Address 0x7fff76457e80 is located in stack of thread T0 at offset 2080 in frame
    #0 0x83e5ef in genptk\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genptk.c:520

  This frame has 1 object(s):
    \[32, 2080) 'stfp' (line 521) <== Memory access at offset 2080 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genptk.c:618:13 in genptk\_text
Shadow bytes around the buggy address:
  0x10006ec82f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10006ec82fd0:\[f3\]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10006ec82fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82ff0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
  0x10006ec83000: 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10006ec83010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec83020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==45827\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21675: Xfig / Tickets / #78 stack-buffer-overflow in genptk_text at genptk.c:618

A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in set\_fill at genge.c:446  
Please run following command to reproduce it,

ASAN LOG

Invalid color number \-16 at line 33, using default color.
\=================================================================
\==3081\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x0000009b325c at pc 0x0000006953f0 bp 0x7ffd7c3cad60 sp 0x7ffd7c3cad58
READ of size 4 at 0x0000009b325c thread T0
    #0 0x6953ef in set\_fill /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:446:27
    #1 0x6953ef in genge\_line /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:143
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7fbb4e7bcb96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x0000009b325c is located 4 bytes to the left of global variable 'GE\_COLORS' defined in 'genge.c:55:12' (0x9b3260) of size 128
0x0000009b325c is located 53 bytes to the right of global variable '<string literal>' defined in 'genge.c:437:14' (0x9b3220) of size 7
  '<string literal>' is ascii string 'c%02d '
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:446:27 in set\_fill
Shadow bytes around the buggy address:
  0x00008012e5f0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 f9 f9
  0x00008012e600: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 03
  0x00008012e610: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
  0x00008012e620: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 00 06 f9 f9
  0x00008012e630: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 03 f9 f9
\=>0x00008012e640: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9\[f9\]00 00 00 00
  0x00008012e650: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x00008012e660: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x00008012e670: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x00008012e680: 07 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x00008012e690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==3081\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21682: Xfig / Tickets / #72 global-buffer-overflow in set_fill at genge.c:446

A global buffer overflow in the genmp_writefontmacro_latex component in genmp.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into mp format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in genmp\_writefontmacro\_latex at genmp.c:1274  
Please run following command to reproduce it,

Here's log

\==17197\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x000000c7ffd8 at pc 0x00000070bc35 bp 0x7ffcf7797cd0 sp 0x7ffcf7797cc8
READ of size 8 at 0x000000c7ffd8 thread T0
    #0 0x70bc34 in genmp\_writefontmacro\_latex /home/tmp/mcj\-fig2dev/fig2dev/dev/genmp.c:1274:3
    #1 0x70bc34 in genmp\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genmp.c:1074
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7fab84f5db96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x000000c7ffd8 is located 8 bytes to the left of global variable 'texfontfamily' defined in 'texfonts.c:27:13' (0xc7ffe0) of size 48
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genmp.c:1274:3 in genmp\_writefontmacro\_latex
Shadow bytes around the buggy address:
  0x000080187fa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fe0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
\=>0x000080187ff0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\[f9\]00 00 00 00
  0x000080188000: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
  0x000080188010: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
  0x000080188020: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080188030: 00 04 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080188040: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==17197\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21678: Xfig / Tickets / #71 global-buffer-overflow in genmp_writefontmacro_latex at genmp.c:1274

A global buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pstricks format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in shade\_or\_tint\_name\_after\_declare\_color at genpstricks.c:1135  
Please run following command to reproduce it,

ASAN LOG

Invalid color number \-1674115757 at line 37, using default color.
An open polygon at line 38 \- close it.
\=================================================================
\==22079\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x000000c5a81c at pc 0x00000080aeb5 bp 0x7ffd1029a770 sp 0x7ffd1029a768
READ of size 4 at 0x000000c5a81c thread T0
    #0 0x80aeb4 in shade\_or\_tint\_name\_after\_declare\_color /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:1135:41
    #1 0x80aeb4 in format\_options /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:1859
    #2 0x7fa81d in genpstrx\_line /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:2270:7
    #3 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #4 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #5 0x7ff8beecdb96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #6 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x000000c5a81c is located 4 bytes to the left of global variable 'color\_table' defined in 'genpstricks.c:986:3' (0xc5a820) of size 34816
0x000000c5a81c is located 44 bytes to the right of global variable 'dev\_pstricks' defined in 'genpstricks.c:2851:15' (0xc5a7a0) of size 80
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:1135:41 in shade\_or\_tint\_name\_after\_declare\_color
Shadow bytes around the buggy address:
  0x0000801834b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801834c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801834d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801834e0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000801834f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 f9 f9
\=>0x000080183500: f9 f9 f9\[f9\]00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==22079\==ABORTING

fig2dev Version 3.2.7b

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21683: Xfig / Tickets / #77 global-buffer-overflow in shade_or_tint_name_after_declare_color at genpstricks.c:1135

A global buffer overflow in the put_font in genpict2e.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pict2e format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in put\_font at genpict2e.c:2229  
Please run following command to reproduce it,

ASAN LOG

\==36598\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x000000c4f858 at pc 0x0000007614d0 bp 0x7fff29528440 sp 0x7fff29528438
READ of size 8 at 0x000000c4f858 thread T0
    #0 0x7614cf in put\_font /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2229:7
    #1 0x7614cf in genpict2e\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2278
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7fb82753eb96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x000000c4f858 is located 8 bytes to the left of global variable 'texfonts' defined in 'genpict2e.c:54:14' (0xc4f860) of size 48
0x000000c4f858 is located 52 bytes to the right of global variable 'default\_color' defined in 'genpict2e.c:119:12' (0xc4f820) of size 4
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2229:7 in put\_font
Shadow bytes around the buggy address:
  0x000080181eb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080181ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181ef0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
\=>0x000080181f00: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9\[f9\]00 00 00 00
  0x000080181f10: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080181f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181f30: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080181f40: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x000080181f50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==36598\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21684: Xfig / Tickets / #75 global-buffer-overflow in put_font at genpict2e.c:2229

A stack-based buffer overflow in the put_arrow() component in genpict2e.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pict2e format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a stack-buffer-overflow in put\_arrow at genpict2e.c:1191  
Please run following command to reproduce it,

ASAN LOG

\==39178\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fffc3316ec8 at pc 0x00000077150d bp 0x7fffc3316e70 sp 0x7fffc3316e68
READ of size 4 at 0x7fffc3316ec8 thread T0
    #0 0x77150c in put\_arrow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:1191:39
    #1 0x767f69 in genpict2e\_arc /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2575:6
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7f8b1eb44b96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

Address 0x7fffc3316ec8 is located in stack of thread T0 at offset 72 in frame
    #0 0x76d4cf in put\_arrow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:1152

  This frame has 9 object(s):
    \[32, 36) 'sx' (line 1153)
    \[48, 52) 'sy' (line 1153)
    \[64, 68) 'lx' (line 1153) <== Memory access at offset 72 overflows this variable
    \[80, 480) 'points' (line 1154) <== Memory access at offset 72 underflows this variable
    \[544, 944) 'fillpoints' (line 1154)
    \[1008, 1408) 'clippts' (line 1154)
    \[1472, 1476) 'npoints' (line 1155)
    \[1488, 1492) 'nfillpoints' (line 1155)
    \[1504, 1508) 'nclippts' (line 1155)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:1191:39 in put\_arrow
Shadow bytes around the buggy address:
  0x10007865ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ad90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ada0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865adb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865adc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10007865add0: f1 f1 f1 f1 04 f2 04 f2 04\[f2\]00 00 00 00 00 00
  0x10007865ade0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865adf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x10007865ae10: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==39178\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

Tag

#buffer_overflow