#76 stack-buffer-overflow in genpstrx_text at genpstricks.c:2732

[Suhwan Song]

Hi,
I found a stack-buffer-overflow in genpstrx_text at genpstricks.c:2732
Please run following command to reproduce it,

fig2dev -L pstricks $PoC

ASAN LOG

==48149==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffcd1c7b00 at pc 0x00000044823a bp 0x7fffcd1b7880 sp 0x7fffcd1b7030
WRITE of size 35 at 0x7fffcd1c7b00 thread T0
    #0 0x448239 in vsprintf (/home/tmp/fig2dev+0x448239)
    #1 0x448566 in __interceptor_sprintf (/home/tmp/fig2dev+0x448566)
    #2 0x81943b in genpstrx_text /home/tmp/mcj-fig2dev/fig2dev/dev/genpstricks.c:2732:5
    #3 0x54b8bb in gendev_objects /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:1003:6
    #4 0x54b8bb in main /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:480
    #5 0x7fb45a113b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41b3a9 in _start (/home/tmp/fig2dev+0x41b3a9)

Address 0x7fffcd1c7b00 is located in stack of thread T0 at offset 65856 in frame
    #0 0x817a5f in genpstrx_text /home/tmp/mcj-fig2dev/fig2dev/dev/genpstricks.c:2714

  This frame has 2 object(s):
    [32, 65568) 'formatted_text' (line 2716)
    [65824, 65856) 'angle' (line 2717) <== Memory access at offset 65856 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/tmp/fig2dev+0x448239) in vsprintf
Shadow bytes around the buggy address:
  0x100079a30f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f30: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100079a30f40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100079a30f50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
=>0x100079a30f60:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f70: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 f3 f3
  0x100079a30f80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==48149==ABORTING

fig2dev Version 3.2.7b

[Dr. Werner Fink]

The attached patch add some sanity checks about correct radians used for angles ... this avoids the overflow in sprintf on angle character array in genpstrx_text() of fig2dev/dev/genpstricks.c

[tkl]

Thank you. The sanitiy check, however, is too strict. Xfig writes text angles in the range between 0 and 2 pi, hence the patch would reject valid files produced by xfig. I will modify the patch and allow a range between - 2 pi and 2 pi, generously extending to, say -7 to 7,

[Dr. Werner Fink]

I'm fine with as you're the expert here, I've only debugged it a bit :)

[tkl]

Commit [acccc8] fixes this issue. Angles beyond -7 to 7 are now rejected, and fig2dev exits. I pondered a bit about, for instance, replacing larger angles by zero and further process the input. But then angles with more than one revolution are probably only created by input fuzzers, and those are happy with an exit.