#59 stack-buffer-overflow in read_textobject() function

[Suhwan Song]

Hi,
I found a stack-buffer-overflow in read_textobject() function at read.c:1378
Please run following command to reproduce it,

fig2dev -L box $PoC

Here's log

==13709==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe53f28e0e at pc 0x7f9abe98da69 bp 0x7ffe53f26cb0 sp 0x7ffe53f26458
READ of size 1 at 0x7ffe53f28e0e thread T0
    #0 0x7f9abe98da68  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68)
    #1 0x558cfdd2cc46 in read_textobject fig2dev-3.2.7b/fig2dev/read.c:1378
    #2 0x558cfdd25d9d in read_compoundobject fig2dev-3.2.7b/fig2dev/read.c:711
    #3 0x558cfdd235f0 in read_objects fig2dev-3.2.7b/fig2dev/read.c:440
    #4 0x558cfdd221d3 in readfp_fig fig2dev-3.2.7b/fig2dev/read.c:172
    #5 0x558cfdd220a9 in read_fig fig2dev-3.2.7b/fig2dev/read.c:142
    #6 0x558cfdd19ef3 in main fig2dev-3.2.7b/fig2dev/fig2dev.c:422
    #7 0x7f9abdd81b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x558cfdd0a979 in _start (fig2dev-3.2.7b+0x6e979)

Address 0x7ffe53f28e0e is located in stack of thread T0 at offset 8446 in frame
    #0 0x558cfdd2c280 in read_textobject fig2dev-3.2.7b/fig2dev/read.c:1304

  This frame has 5 object(s):
    [32, 36) 'num'
    [96, 104) 't'
    [160, 162) 'junk'
    [224, 8416) 's'
    [8448, 16640) 's_temp' <== Memory access at offset 8446 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68) 
Shadow bytes around the buggy address:
  0x10004a7dd170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2
=>0x10004a7dd1c0: f2[f2]00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004a7dd210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13709==ABORTING

fig2dev Version 3.2.7b
I also tested this in git master and can reproduce it.

[tkl]

Fixed with commit [41b9bb].