#2800 heap-buffer-overflow on gp_cairo_helper_coordval_to_chars()

[liuchenyifan]

version: gnuplot 6.1 last modified 2025-05-02
system: ubuntu 22.04

use this command to reproduce: gnutplot poc
message from ASAN:

==3499668==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000001798 at pc 0x55f82e5751e9 bp 0x7ffebeb48c80 sp 0x7ffebeb48c70
READ of size 8 at 0x618000001798 thread T0
#0 0x55f82e5751e8 in gp_cairo_helper_coordval_to_chars wxterminal/gp_cairo_helpers.c:94
#1 0x55f82e42b150 in write_png_base64_cb ../term/write_png_image.c:135
#2 0x55f82e42b150 in write_png_base64_image ../term/write_png_image.c:155
#3 0x55f82e42b150 in SVG_image ../term/svg.trm:1963
#4 0x55f82e0f0d40 in process_image /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/graphics.c:5843
#5 0x55f82e0f9424 in do_plot /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/graphics.c:1065
#6 0x55f82e205b24 in eval_plots /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/plot2d.c:4142
#7 0x55f82df7a9d4 in replotrequest /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/command.c:3146
#8 0x55f82df6ee41 in command /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/command.c:855
#9 0x55f82df6ee41 in step_through_line /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/command.c:549
#10 0x55f82e1813d7 in load_file /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/misc.c:393
#11 0x55f82df0347b in main /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/plot.c:669
#12 0x7fb9d4f50d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x7fb9d4f50e3f in __libc_start_main_impl ../csu/libc-start.c:392
#14 0x55f82df04d54 in _start (/home/ubuntu/target_program/gnuplot-gnuplot-main/output/asan_gnuplot+0xe0d54)

0x618000001798 is located 0 bytes to the right of 792-byte region [0x618000001480,0x618000001798)
allocated by thread T0 here:
#0 0x7fb9d5961867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55f82df04e65 in gp_alloc /home/ubuntu/asan_program/gnuplot-gnuplot-main/src/alloc.c:56

SUMMARY: AddressSanitizer: heap-buffer-overflow wxterminal/gp_cairo_helpers.c:94 in gp_cairo_helper_coordval_to_chars
Shadow bytes around the buggy address:
0x0c307fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fff82f0: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3499668==ABORTING

[Ethan Merritt]

The program detects and warns about the image data being corrupt. The POC then proceeds to plot the image anyhow. I suppose the program could treat corrup data that as a fatal error rather than simply issuing a warning, but that seems less user-friendly than the current action.