*** This bug is a security vulnerability *** Public security bug reported:
Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/114/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev ```bash $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make ``` 3.run fig2dev ```bash $ ./fig2dev -L svg fig2dev_crash ``` asan info: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!-- Creator: fig2dev Version 3.2.8a --> <!-- CreationDate: 2021-04-17 04:44:25 --> <!-- Magnification: 1 --> <svg xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink"; width="73pt" height="113pt" viewBox="-76 -376 1202 1877"> <g fill="none"> <!-- Line --> <rect x="-75" y="-375" width="1200" height="1875" fill="#bfbfbf"/> <!-- Ellipse --> <!-- 5 --> <ellipse transform="translate(150,225) rotate(-45)" rx="150" ry="75" stroke="#000000" stroke-width="8px"/> <!-- Ellipse --> <!-- 6 --> <ellipse transform="translate(454,190) rotate(-315)" rx="188" ry="38" fill="#000000" stroke="#ffffff" stroke-width="8px"/> <!-- Ellipse --> <!-- 7 --> <ellipse transform="translate(674,187) rotate(-315)" rx="188" ry="38" fill="#4c4c4c" stroke="#ffffff" stroke-width="8px"/> <!-- Circle --> <!-- 8 --> <defs> <circle cx="937" cy="150" r="136" id="p0"/> <pattern id="tile0" patternUnits="userSpaceOnUse" x="0" y="0" width="134" height="134"> <g stroke-width="7.5" stroke="#000000" fill="none"> <path d="M-4,63 71,138 M63,-4 138,71 M-4,71 71,-4 M63,138 138,63"/> </g> </pattern> </defs> <use xlink:href="#p0" fill="#ffffff"/> <use xlink:href="#p0" fill="url(#tile0)" stroke="#000000" stroke-width="8px"/> <!-- Line --> <!-- 1 --> <rect x="0" y="-300" width="300" height="300" rx="120" stroke="#000000" stroke-width="8px"/> <!-- Line --> <!-- 2 --> AddressSanitizer:DEADLYSIGNAL ================================================================= ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0) ==3255219==The signal is caused by a READ memory access. ==3255219==Hint: address points to the zero page. #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 in svg_arrows ==3255219==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Assignee: xiao huang (shanzhuli) Status: New ** Tags: security ** Information type changed from Private Security to Public Security ** Summary changed: - fig2dev + Null pointer of fig2dev of gensvg.c in function svg_arrows ** Description changed: Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/114/ - + commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev ```bash $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" - $ make + $ make ``` 3.run fig2dev ```bash $ ./fig2dev -L svg fig2dev_crash ``` asan info: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!-- Creator: fig2dev Version 3.2.8a --> <!-- CreationDate: 2021-04-17 04:44:25 --> <!-- Magnification: 1 --> <svg xmlns="http://www.w3.org/2000/svg"; - xmlns:xlink="http://www.w3.org/1999/xlink"; - width="73pt" height="113pt" - viewBox="-76 -376 1202 1877"> + xmlns:xlink="http://www.w3.org/1999/xlink"; + width="73pt" height="113pt" + viewBox="-76 -376 1202 1877"> <g fill="none"> <!-- Line --> <rect x="-75" y="-375" width="1200" height="1875" fill="#bfbfbf"/> <!-- Ellipse --> <!-- 5 --> <ellipse transform="translate(150,225) rotate(-45)" rx="150" ry="75" - stroke="#000000" stroke-width="8px"/> + stroke="#000000" stroke-width="8px"/> <!-- Ellipse --> <!-- 6 --> <ellipse transform="translate(454,190) rotate(-315)" rx="188" ry="38" fill="#000000" - stroke="#ffffff" stroke-width="8px"/> + stroke="#ffffff" stroke-width="8px"/> <!-- Ellipse --> <!-- 7 --> <ellipse transform="translate(674,187) rotate(-315)" rx="188" ry="38" fill="#4c4c4c" - stroke="#ffffff" stroke-width="8px"/> + stroke="#ffffff" stroke-width="8px"/> <!-- Circle --> <!-- 8 --> <defs> <circle cx="937" cy="150" r="136" id="p0"/> <pattern id="tile0" patternUnits="userSpaceOnUse" - x="0" y="0" width="134" height="134"> + x="0" y="0" width="134" height="134"> <g stroke-width="7.5" stroke="#000000" fill="none"> <path d="M-4,63 71,138 M63,-4 138,71 M-4,71 71,-4 M63,138 138,63"/> </g> </pattern> </defs> <use xlink:href="#p0" fill="#ffffff"/> <use xlink:href="#p0" fill="url(#tile0)" - stroke="#000000" stroke-width="8px"/> + stroke="#000000" stroke-width="8px"/> <!-- Line --> <!-- 1 --> <rect x="0" y="-300" width="300" height="300" rx="120" - stroke="#000000" stroke-width="8px"/> + stroke="#000000" stroke-width="8px"/> <!-- Line --> <!-- 2 --> AddressSanitizer:DEADLYSIGNAL ================================================================= ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0) ==3255219==The signal is caused by a READ memory access. ==3255219==Hint: address points to the zero page. - #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 - #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 - #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 - #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 - #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 - #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) + #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 + #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 + #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 + #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 + #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 + #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 in svg_arrows ==3255219==ABORTING ** Package changed: libcaca (Ubuntu) => xfig (Ubuntu) ** Changed in: xfig (Ubuntu) Assignee: (unassigned) => xiao huang (shanzhuli) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1926673 Title: Null pointer of fig2dev of gensvg.c in function svg_arrows Status in xfig package in Ubuntu: New Bug description: Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/114/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev ```bash $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make ``` 3.run fig2dev ```bash $ ./fig2dev -L svg fig2dev_crash ``` asan info: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!-- Creator: fig2dev Version 3.2.8a --> <!-- CreationDate: 2021-04-17 04:44:25 --> <!-- Magnification: 1 --> <svg xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink"; width="73pt" height="113pt" viewBox="-76 -376 1202 1877"> <g fill="none"> <!-- Line --> <rect x="-75" y="-375" width="1200" height="1875" fill="#bfbfbf"/> <!-- Ellipse --> <!-- 5 --> <ellipse transform="translate(150,225) rotate(-45)" rx="150" ry="75" stroke="#000000" stroke-width="8px"/> <!-- Ellipse --> <!-- 6 --> <ellipse transform="translate(454,190) rotate(-315)" rx="188" ry="38" fill="#000000" stroke="#ffffff" stroke-width="8px"/> <!-- Ellipse --> <!-- 7 --> <ellipse transform="translate(674,187) rotate(-315)" rx="188" ry="38" fill="#4c4c4c" stroke="#ffffff" stroke-width="8px"/> <!-- Circle --> <!-- 8 --> <defs> <circle cx="937" cy="150" r="136" id="p0"/> <pattern id="tile0" patternUnits="userSpaceOnUse" x="0" y="0" width="134" height="134"> <g stroke-width="7.5" stroke="#000000" fill="none"> <path d="M-4,63 71,138 M63,-4 138,71 M-4,71 71,-4 M63,138 138,63"/> </g> </pattern> </defs> <use xlink:href="#p0" fill="#ffffff"/> <use xlink:href="#p0" fill="url(#tile0)" stroke="#000000" stroke-width="8px"/> <!-- Line --> <!-- 1 --> <rect x="0" y="-300" width="300" height="300" rx="120" stroke="#000000" stroke-width="8px"/> <!-- Line --> <!-- 2 --> AddressSanitizer:DEADLYSIGNAL ================================================================= ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0) ==3255219==The signal is caused by a READ memory access. ==3255219==Hint: address points to the zero page. #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 in svg_arrows ==3255219==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926673/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
