Xfig / Tickets / #67 Out-of-bounds write in the read

#67 Out-of-bounds write in the read_colordef() function

Milestone: xfig

Status: closed

Owner: nobody

Labels: None

Updated: 2021-04-17

Created: 2019-12-13

Creator: Frederic Cambus

Private: No

Hi,

While fuzzing fig2dev 3.2.7b with Honggfuzz, I found an out-of-bounds write in the read_colordef() function, in read.c.

Attaching a reproducer, issue can be reproduced by running:

fig2dev -L box test03

==1224== Memcheck, a memory error detector
==1224== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1224== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1224== Command: ./fig2dev -Lbox test03
==1224== 
Invalid color definition:    0 1200 600 1200 600 600 :\ÅâÔÈL^äöT#0 600 0 120, setting to black (#00000).
==1224== Invalid write of size 4
==1224==    at 0x123A6C: read_colordef (read.c:488)
==1224==    by 0x123A6C: read_objects (read.c:359)
==1224==    by 0x123A6C: readfp_fig (read.c:172)
==1224==    by 0x118F37: main (fig2dev.c:422)
==1224==  Address 0x607cd5a0 is not stack'd, malloc'd or (recently) free'd
==1224== 
==1224== 
==1224== Process terminating with default action of signal 11 (SIGSEGV)
==1224==  Access not within mapped region at address 0x607CD5A0
==1224==    at 0x123A6C: read_colordef (read.c:488)
==1224==    by 0x123A6C: read_objects (read.c:359)
==1224==    by 0x123A6C: readfp_fig (read.c:172)
==1224==    by 0x118F37: main (fig2dev.c:422)
==1224==  If you believe this happened as a result of a stack
==1224==  overflow in your program's main thread (unlikely but
==1224==  possible), you can try to increase the size of the
==1224==  main thread stack using the --main-stacksize= flag.
==1224==  The main thread stack size used in this run was 8388608.
==1224== 
==1224== HEAP SUMMARY:
==1224==     in use at exit: 488 bytes in 1 blocks
==1224==   total heap usage: 19 allocs, 18 frees, 8,632 bytes allocated
==1224== 
==1224== LEAK SUMMARY:
==1224==    definitely lost: 0 bytes in 0 blocks
==1224==    indirectly lost: 0 bytes in 0 blocks
==1224==      possibly lost: 0 bytes in 0 blocks
==1224==    still reachable: 488 bytes in 1 blocks
==1224==         suppressed: 0 bytes in 0 blocks
==1224== Rerun with --leak-check=full to see details of leaked memory
==1224== 
==1224== For lists of detected and suppressed errors, rerun with: -s
==1224== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

1 Attachments

test03

Discussion

Frederic Cambus - 2019-12-15

This issue has been assigned CVE-2019-19797.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

tkl - 2020-01-06

status: open --> pending

xfig / fig2dev: xfig --> fig2dev
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

tkl - 2020-01-06

Fixed with commit [41b9bb].

Related

Commit: [41b9bb]

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

tkl - 2020-12-21

status: pending --> closed

xfig / fig2dev: fig2dev --> xfig
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Out-of-bounds write in the read_colordef() function

Xfig is a diagramming tool

Searches

Help

#67 Out-of-bounds write in the read_colordef() function

Discussion

Related