#63 global-buffer-overflow in conv_pattern_index() function

[Suhwan Song]

Hi
I found a global-buffer-overflow in conv_pattern_index() at gencgm.c:533
Please run following command to reproduce it,

fig2dev -L cgm $PoC

Here's log

An open polygon at line 31 - close it.
=================================================================
==27666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55d8bbafa358 at pc 0x55d8bb7759da bp 0x7ffd22f17220 sp 0x7ffd22f17210
READ of size 4 at 0x55d8bbafa358 thread T0
    #0 0x55d8bb7759d9 in conv_pattern_index fig2dev-3.2.7b/fig2dev/dev/gencgm.c:533
    #1 0x55d8bb775a20 in hatchindex fig2dev-3.2.7b/fig2dev/dev/gencgm.c:543
    #2 0x55d8bb776d1d in shape fig2dev-3.2.7b/fig2dev/dev/gencgm.c:638
    #3 0x55d8bb77cbc4 in gencgm_line fig2dev-3.2.7b/fig2dev/dev/gencgm.c:1044
    #4 0x55d8bb75aa3f in gendev_objects fig2dev-3.2.7b/fig2dev/fig2dev.c:1003
    #5 0x55d8bb7592bf in main fig2dev-3.2.7b/fig2dev/fig2dev.c:480
    #6 0x7fe59b3a7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x55d8bb749979 in _start (fig2dev-3.2.7b+0x6e979)

0x55d8bbafa358 is located 0 bytes to the right of global variable 'map_pattern' defined in 'gencgm.c:138:5' (0x55d8bbafa300) of size 88
0x55d8bbafa358 is located 40 bytes to the left of global variable 'oldfillcolor' defined in 'gencgm.c:490:12' (0x55d8bbafa380) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow fig2dev-3.2.7b/fig2dev/dev/gencgm.c:533 in conv_pattern_index
Shadow bytes around the buggy address:
  0x0abb97757410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757450: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
=>0x0abb97757460: 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9
  0x0abb97757470: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb97757480: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb97757490: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb977574a0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb977574b0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27666==ABORTING

fig2dev Version 3.2.7b
I also tested this in git Commit [3065ab] and can reproduce it.

[Dr. Werner Fink]

I see

fig2dev -L cgm /usr/src/werner/xfig/transfig/POC/POC63
An open polygon at line 31 - close it.
BEGMF 'POC63';
mfversion 1;
[...]

[Dr. Werner Fink]

Could be similar to missing default color of issue #77

[Dr. Werner Fink]

Also here some of the previous commits seems to mask out this error but shows now an other one:

==1620==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55774e94a0f6 at pc 0x55774e8674a4 bp 0x7ffe50da7400 sp 0x7ffe50da73f8
WRITE of size 1 at 0x55774e94a0f6 thread T0
    #0 0x55774e8674a3 in note_fill /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:608
    #1 0x55774e86b2ff in note_fill /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:1026
    #2 0x55774e86b2ff in read_lineobject /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:1067
    #3 0x55774e86e050 in read_compoundobject /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:738
    #4 0x55774e872546 in read_objects /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:496
    #5 0x55774e872546 in readfp_fig /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:173
    #6 0x55774e7a4895 in read_fig /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:145
    #7 0x55774e7a4895 in main /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/fig2dev.c:422
    #8 0x7f26636d6e0a in __libc_start_main (/lib64/libc.so.6+0x26e0a)
    #9 0x55774e7a5f69 in _start (/home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/fig2dev+0x70f69)

0x55774e94a0f6 is located 42 bytes to the left of global variable 'pats_used' defined in 'fig2dev.c:138:6' (0x55774e94a120) of size 1
  'pats_used' is ascii string ''
0x55774e94a0f6 is located 0 bytes to the right of global variable 'pattern_used' defined in 'fig2dev.c:138:17' (0x55774e94a0e0) of size 22
SUMMARY: AddressSanitizer: global-buffer-overflow /home/abuild/rpmbuild/BUILD/fig2dev-3.2.7b/fig2dev/read.c:608 in note_fill
Shadow bytes around the buggy address:
  0x0aaf69d213c0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0aaf69d213d0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0aaf69d213e0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0aaf69d213f0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf69d21400: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
=>0x0aaf69d21410: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00[06]f9
  0x0aaf69d21420: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0aaf69d21430: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf69d21440: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf69d21450: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf69d21460: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1620==ABORTING

[tkl]

Checking out fig2dev 3.2.7b and applying [2f8d1a], i.e., replacing on line 64 of fig2dev/object.h ">" by ">=", here this error does not show up any more. Therefore I believe commit [2f8d1a] fixes this and the original issue.

[tkl]

The attached file re-produces the original error. (An off-by-one error! Incidentally, it is the pattern no 63, in ticket #63; Maximum allowed pattern number is 62.) Fixed with commit [2f8d1a].

 ./fig2dev -L cgm 63poc.fig >/dev/null
=================================================================
==4266==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5578aa3a60f8 at pc 0x5578aa21fb88 bp 0x7ffe22911ac0 sp 0x7ffe22911ab0
READ of size 4 at 0x5578aa3a60f8 thread T0
    #0 0x5578aa21fb87 in conv_pattern_index /j/gg/fig2dev/dev/gencgm.c:536
    #1 0x5578aa21fbce in hatchindex /j/gg/fig2dev/dev/gencgm.c:546
    #2 0x5578aa220e62 in shape /j/gg/fig2dev/dev/gencgm.c:641
    #3 0x5578aa226a11 in gencgm_line /j/gg/fig2dev/dev/gencgm.c:1047
    #4 0x5578aa202d03 in gendev_objects /j/gg/fig2dev/fig2dev.c:1007
    #5 0x5578aa201587 in main /j/gg/fig2dev/fig2dev.c:484
    #6 0x7fb98d93c152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #7 0x5578aa1f294d in _start (/j/gg/fig2dev/fig2dev+0x6e94d)

0x5578aa3a60f8 is located 0 bytes to the right of global variable 'map_pattern' defined in 'gencgm.c:141:5' (0x5578aa3a60a0) of size 88
0x5578aa3a60f8 is located 40 bytes to the left of global variable 'oldfillcolor' defined in 'gencgm.c:493:12' (0x5578aa3a6120) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow /j/gg/fig2dev/dev/gencgm.c:536 in conv_pattern_index
Shadow bytes around the buggy address:
  0x0aaf9546cbc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0aaf9546cbd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0aaf9546cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aaf9546cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aaf9546cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aaf9546cc10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00[f9]
  0x0aaf9546cc20: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf9546cc30: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf9546cc40: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf9546cc50: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0aaf9546cc60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4266==ABORTING