Hello Team,
This ticket is regarding #882022. According to the email thread, the issue looks to be fixed in 3.2.7.
But as per our research, the vulnerability is not fixed yet in the latest version of fig2dev 3.2.7a as we are still able to reproduce it.
At get_line() function when the value of 'len' variable is less than 2, it then attempts to write prior to the buffer. We have observed, this vulnerability has been fixed in the funtion read_objects() by adding a check if (len > 1 && buf[len-2] == '\r').
We believe that applying same condition may fix the issue in get_line() as well.
Debugging:
Breakpoint 1 at 0x812ad: file read.c, line 1470.
The program is not being run.
Starting program: /home/ethan/Desktop/fig2dev-3.2.7a_debian/fig2dev/fig2dev -L tikz ~/Desktop/overflow_218
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, get_line (fp=0x616000000080) at read.c:1470
1470 if (buf[len-2] == '\r')
len = 1
rax 0x555555995ac0 93824996694720
rbx 0x7fffffffde70 140737488346736
rcx 0x0 0
rdx 0x0 0
rsi 0x616000000100 107064944754944
rdi 0x0 0
rbp 0x7fffffffddd0 0x7fffffffddd0
rsp 0x7fffffffddb0 0x7fffffffddb0
r8 0x0 0
r9 0x0 0
r10 0x7ffff7fdb780 140737353987968
r11 0x246 582
r12 0xffffffffbce 17592186043342
r13 0x7fffffffdf10 140737488346896
r14 0x7fffffffde70 140737488346736
r15 0x0 0
rip 0x5555555d52ad 0x5555555d52ad <get_line+204>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
1465 if (save_comment() < 0)
1466 return -1;
1467 } else if (*buf != '\n') { /* Skip empty lines */
1468 len = strlen(buf);
1469 buf[len-1] = '\0'; /* strip trailing newline */
1470 if (buf[len-2] == '\r')
1471 buf[len-2] = '\0'; /* strip trailing CRs */
1472 return 1;
1473 }
1474 }
Continuing.
[Inferior 1 (process 5867) exited with code 01]
Please do confirm if you are able to reproduce the issue with this - Reproducer
With the provided input file, fig2dev terminates with exit code 1, no seg fault.
I believe, the only way to set
lento a value smaller than 2, i.e., 1, is by reading in a single character in the last line, before EOF. The provided file ends with\n 0, hence this vulnerabilty could be triggered. The fix, as suggested, should be applied. It is strange, that I cannot reproduce the issue.As per the discussion in ticket #28, the issue can be reproduced with CFLAGS="-fsanitize=address" enabled. This issue is fixed in commit e0c4b02.
Fixed with release 3.2.7b.