#71 global-buffer-overflow in genmp_writefontmacro_latex at genmp.c:1274

[Suhwan Song]

Hi,
I found a global-buffer-overflow in genmp_writefontmacro_latex at genmp.c:1274
Please run following command to reproduce it,

fig2dev -L mp $PoC

Here's log

==17197==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000c7ffd8 at pc 0x00000070bc35 bp 0x7ffcf7797cd0 sp 0x7ffcf7797cc8
READ of size 8 at 0x000000c7ffd8 thread T0
    #0 0x70bc34 in genmp_writefontmacro_latex /home/tmp/mcj-fig2dev/fig2dev/dev/genmp.c:1274:3
    #1 0x70bc34 in genmp_text /home/tmp/mcj-fig2dev/fig2dev/dev/genmp.c:1074
    #2 0x54b8bb in gendev_objects /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7fab84f5db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41b3a9 in _start (/home/tmp/fig2dev+0x41b3a9)

0x000000c7ffd8 is located 8 bytes to the left of global variable 'texfontfamily' defined in 'texfonts.c:27:13' (0xc7ffe0) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow /home/tmp/mcj-fig2dev/fig2dev/dev/genmp.c:1274:3 in genmp_writefontmacro_latex
Shadow bytes around the buggy address:
  0x000080187fa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fe0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x000080187ff0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x000080188000: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
  0x000080188010: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
  0x000080188020: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080188030: 00 04 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080188040: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17197==ABORTING

fig2dev Version 3.2.7b
I also tested this in git Commit [3065ab] and can reproduce it.

[tkl]

Fixed with commit [d70e4b].