heap-buffer-overflow of fig2dev of gensvg.c in function gensvg_text
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fig2dev (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi
I found an overflow error.
issues: https:/
commit:https:/
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
fig2dev Version 3.2.8a
Verification steps:
1.Get the source code of fig2dev
2.Compile the fig2dev
$ cd fig2dev-3.2.8a
$ ./configure CC="clang -O2 -fno-omit-
$ make
3.run fig2dev
$ ./fig2dev -L svg overflow_
asan info:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Creator: fig2dev Version 3.2.8a -->
<!-- CreationDate: 2021-04-17 04:37:54 -->
<!-- Magnification: 1 -->
<svg xmlns="http://
xmlns:xlink="http://
width="900pt" height="3600pt"
viewBox="163 0 25 100">
<g fill="none">
<!-- Text -->
=======
==3221214==ERROR: AddressSanitizer: heap-buffer-
READ of size 1 at 0x602000000072 thread T0
#0 0x5888ee in gensvg_text /home/hh/
#1 0x4d0847 in gendev_objects /home/hh/
#2 0x4d0847 in main /home/hh/
#3 0x7f03fc8940b2 in __libc_start_main /build/
#4 0x41c71d in _start (/home/
0x602000000072 is located 0 bytes to the right of 2-byte region [0x602000000070
allocated by thread T0 here:
#0 0x494fd2 in calloc (/home/
#1 0x4d5951 in read_textobject /home/hh/
#2 0x4d2b8b in read_1_3_objects /home/hh/
#3 0x4d666f in readfp_fig /home/hh/
#4 0x4d6312 in read_fig /home/hh/
#5 0x4d04cb in main /home/hh/
#6 0x7f03fc8940b2 in __libc_start_main /build/
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa[02]fa
0x0c047fff8010: fa fa 00 07 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3221214==ABORTING
affects: | xfig (Ubuntu) → fig2dev (Ubuntu) |
Fixed in version 3.2.8-3 (which was yesterday uploaded to Debian unstable)