Menu

#67 Out-of-bounds write in the read_colordef() function

xfig
closed
nobody
None
2021-04-17
2019-12-13
No

Hi,

While fuzzing fig2dev 3.2.7b with Honggfuzz, I found an out-of-bounds write in the read_colordef() function, in read.c.

Attaching a reproducer, issue can be reproduced by running:

fig2dev -L box test03
==1224== Memcheck, a memory error detector
==1224== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1224== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1224== Command: ./fig2dev -Lbox test03
==1224== 
Invalid color definition:    0 1200 600 1200 600 600 :\Ŕâ‡ÔȋžL^ä—öT#0 600 0 120, setting to black (#00000).
==1224== Invalid write of size 4
==1224==    at 0x123A6C: read_colordef (read.c:488)
==1224==    by 0x123A6C: read_objects (read.c:359)
==1224==    by 0x123A6C: readfp_fig (read.c:172)
==1224==    by 0x118F37: main (fig2dev.c:422)
==1224==  Address 0x607cd5a0 is not stack'd, malloc'd or (recently) free'd
==1224== 
==1224== 
==1224== Process terminating with default action of signal 11 (SIGSEGV)
==1224==  Access not within mapped region at address 0x607CD5A0
==1224==    at 0x123A6C: read_colordef (read.c:488)
==1224==    by 0x123A6C: read_objects (read.c:359)
==1224==    by 0x123A6C: readfp_fig (read.c:172)
==1224==    by 0x118F37: main (fig2dev.c:422)
==1224==  If you believe this happened as a result of a stack
==1224==  overflow in your program's main thread (unlikely but
==1224==  possible), you can try to increase the size of the
==1224==  main thread stack using the --main-stacksize= flag.
==1224==  The main thread stack size used in this run was 8388608.
==1224== 
==1224== HEAP SUMMARY:
==1224==     in use at exit: 488 bytes in 1 blocks
==1224==   total heap usage: 19 allocs, 18 frees, 8,632 bytes allocated
==1224== 
==1224== LEAK SUMMARY:
==1224==    definitely lost: 0 bytes in 0 blocks
==1224==    indirectly lost: 0 bytes in 0 blocks
==1224==      possibly lost: 0 bytes in 0 blocks
==1224==    still reachable: 488 bytes in 1 blocks
==1224==         suppressed: 0 bytes in 0 blocks
==1224== Rerun with --leak-check=full to see details of leaked memory
==1224== 
==1224== For lists of detected and suppressed errors, rerun with: -s
==1224== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
1 Attachments

Discussion

  • Frederic Cambus

    Frederic Cambus - 2019-12-15

    This issue has been assigned CVE-2019-19797.

     
  • tkl

    tkl - 2020-01-06
    • status: open --> pending
    • xfig / fig2dev: xfig --> fig2dev
     
  • tkl

    tkl - 2020-01-06

    Fixed with commit [41b9bb].

     

    Related

    Commit: [41b9bb]

  • tkl

    tkl - 2020-12-21
    • status: pending --> closed
    • xfig / fig2dev: fig2dev --> xfig
     

Log in to post a comment.