stack-buffer-overflow in genpstrx_text at genpstricks.c:2732
Xfig is a diagramming tool
Brought to you by:
tklxfiguser
Hi,
I found a stack-buffer-overflow in genpstrx_text at genpstricks.c:2732
Please run following command to reproduce it,
fig2dev -L pstricks $PoC
ASAN LOG
==48149==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffcd1c7b00 at pc 0x00000044823a bp 0x7fffcd1b7880 sp 0x7fffcd1b7030 WRITE of size 35 at 0x7fffcd1c7b00 thread T0 #0 0x448239 in vsprintf (/home/tmp/fig2dev+0x448239) #1 0x448566 in __interceptor_sprintf (/home/tmp/fig2dev+0x448566) #2 0x81943b in genpstrx_text /home/tmp/mcj-fig2dev/fig2dev/dev/genpstricks.c:2732:5 #3 0x54b8bb in gendev_objects /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:1003:6 #4 0x54b8bb in main /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:480 #5 0x7fb45a113b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x41b3a9 in _start (/home/tmp/fig2dev+0x41b3a9) Address 0x7fffcd1c7b00 is located in stack of thread T0 at offset 65856 in frame #0 0x817a5f in genpstrx_text /home/tmp/mcj-fig2dev/fig2dev/dev/genpstricks.c:2714 This frame has 2 object(s): [32, 65568) 'formatted_text' (line 2716) [65824, 65856) 'angle' (line 2717) <== Memory access at offset 65856 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/tmp/fig2dev+0x448239) in vsprintf Shadow bytes around the buggy address: 0x100079a30f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f30: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 0x100079a30f40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x100079a30f50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 =>0x100079a30f60:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f70: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 f3 f3 0x100079a30f80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100079a30fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==48149==ABORTING
fig2dev Version 3.2.7b
The attached patch add some sanity checks about correct radians used for angles ... this avoids the overflow in
sprintf
onangle
character array ingenpstrx_text()
offig2dev/dev/genpstricks.c
Last edit: Dr. Werner Fink 2020-01-28
Thank you. The sanitiy check, however, is too strict. Xfig writes text angles in the range between 0 and 2 pi, hence the patch would reject valid files produced by xfig. I will modify the patch and allow a range between - 2 pi and 2 pi, generously extending to, say -7 to 7,
I'm fine with as you're the expert here, I've only debugged it a bit :)
Commit [acccc8] fixes this issue. Angles beyond -7 to 7 are now rejected, and fig2dev exits. I pondered a bit about, for instance, replacing larger angles by zero and further process the input. But then angles with more than one revolution are probably only created by input fuzzers, and those are happy with an exit.
Related
Commit: [acccc8]