Bug#906740: fig2dev: global buffer overflow while running with '-L pdf' option

Jaeseung Choi Mon, 20 Aug 2018 06:15:39 -0700

Package: fig2dev
Version: 1:3.2.6a-2+deb9u1
Severity: normal

Dear Maintainer,


Running the attached test input with fig2dev with '-L pdf' option raises a
global buffer overflow error. Judging from the stack trace, this bug seems
similar to previous bug #890015, but this test input also crashes the
latest upstream version (3.2.7a) of fig2dev, where #890015 is supposed to
be fixed. The bug fix could have been incomplete, or this may be a distinct
bug.

Below is the gdb log. I used latest upstream version 3.2.7a here, but I
confirmed that current stable version 3.2.6a is also affected.

jason@debian-amd64-stretch:~/report/source-latest/fig2dev$ gdb -q
./fig2dev-3.2.7a/fig2dev/fig2dev
Reading symbols from ./fig2dev-3.2.7a/fig2dev/fig2dev...done.
(gdb) run -L pdf ./poc-bof
Starting program:
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a/fig2dev/fig2dev -L
pdf ./poc-bof
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966
2966    malloc.c: No such file or directory.
(gdb) where
#0  __GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966
#1  0x000000000040b156 in save_comment () at read.c:1487
#2  get_line (fp=<optimized out>) at read.c:1465
#3  0x000000000040ac08 in read_objects (fp=0x6a3f20, obj=<optimized out>)
at read.c:320
#4  readfp_fig (fp=0x6a3f20, obj=0x7fffffffe3c0) at read.c:172
#5  0x0000000000408bac in main (argc=<optimized out>, argv=<optimized out>)
at fig2dev.c:424
(gdb) x/i $rip
=> 0x7ffff736c524 <__GI___libc_free+20>:        mov    -0x8(%rdi),%rax
(gdb) info reg rdi
rdi            0x2323232323000a23       2531906049330383395

And running with Address Sanitizer gives the following result.

jason@debian-amd64-stretch:~/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize$
./fig2dev/fig2dev -L pdf ../poc-bof
=================================================================
==31296==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000015f1ba0 at pc 0x00000051dffb bp 0x7fffffffdde0 sp 0x7fffffffddd8
READ of size 8 at 0x0000015f1ba0 thread T0
    #0 0x51dffa in save_comment
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9
    #1 0x5112f3 in get_line
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1465:8
    #2 0x510123 in read_objects
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:320:6
    #3 0x50eda6 in readfp_fig
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:172:12
    #4 0x50ebc2 in read_fig
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:142:13
    #5 0x504baa in main
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev.c:424:12
    #6 0x7ffff6ad12e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x41c629 in _start
(/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev+0x41c629)

0x0000015f1ba0 is located 0 bytes to the right of global variable
'comments' defined in 'read.c:83:14' (0x15f1880) of size 800
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9
in save_comment
Shadow bytes around the buggy address:
  0x0000802b6320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000802b6370: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000802b6380: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000802b6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b63b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b63c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Thank you.


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk         1:4.1.4+dfsg-1
ii  libc6        2.24-11+deb9u3
ii  libpng16-16  1.6.28-1
ii  libxpm4      1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm       2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  <none>

-- no debconf information

poc-bof
Description: Binary data

Bug#906740: fig2dev: global buffer overflow while running with '-L pdf' option

Reply via email to