Memory corruption in fig2dev 3.2.7a
August 25, 2018
CWE
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Product Details
Xfig is a free and open-source vector graphics editor which runs under the X Window System on most UNIX-compatible platforms. fig2dev is a library used by Xfig package to translate fig code to other graphical languages (tikz, shape, jpeg, png etc.)
URL:https://sourceforge.net/projects/mcj/
Vulnerable Versions
fig2dev 3.2.7a (Xfig package)
Vulnerability Details
A Memory corruption was discovered in fig2dev 3.2.7a version.
SYNOPSIS
```
static F_spline *
read_splineobject(FILE *fp)
.
.
.
Spline_malloc(s); [1]
s->points = NULL;
s->controls = NULL; [2]
s->pen = 0;
s->fill_style = 0;
s->for_arrow = NULL;
s->back_arrow = NULL;
s->comments = NULL;
s->next = NULL;
```
```
for (d = c; d != NULL; d = n) {
n = d->next; [3]
free(d);
```
The fig2dev binary when supplied with a .fig file, it attempts to read the fig file by calling read_fig(), which later calls read_objects() to go through the objects available in the fig file. The function read_splineobject() is called in file read.c, which purpose is to read spline objects contains a structure `s`, which is passed to Spline_malloc() initially in the program [1], thereby leaving all members with a junk value as it’ un-initialized. Later the code, most of the members of the structure are being NULLED out [2], which means no more having any junk values but anyhow not all of them.
The member s->comments is left containing the junk value, which is later being passed to free_splinestorage(), internally calling free_comments() function, which when tries to dereference the structure member `d->next` [3], an segmentation fault is being triggered as a result of invalid memory access due to received junk value.
Fix –
As a part of fix, the member s->comments is being NULLED out.
Commit : e0c4b02429116b15ad1568c2c425f06b95b95830
Analysis
#0 0x0000000000424cf6 in free_comments (c=) at free.c:172
#1 free_splinestorage (s=s@entry=0x60800000bf20) at free.c:136
#2 0x000000000043b625 in read_splineobject (fp=fp@entry=0x61600000fc80) at read.c:1140
#3 0x000000000043e0a0 in read_objects (obj=0x7fffffffdc70, fp=0x61600000fc80) at read.c:383
#4 readfp_fig (fp=0x61600000fc80, obj=obj@entry=0x7fffffffdc70) at read.c:172
#5 0x0000000000440237 in read_fig (file_name=, obj=obj@entry=0x7fffffffdc70) at read.c:142
#6 0x0000000000404104 in main (argc=0x4, argv=0x7fffffffddf8) at fig2dev.c:424
gef➤ p s->controls
$38 = (struct f_control *) 0x0
gef➤ p s->comments
$39 = (struct f_comment *) 0xbebebebebebebebe`
gef➤ p d->next
Cannot access memory at address 0xbebebebebebebec6
ASAN Output
==115139==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000424cf6 bp 0x60800000bf20 sp 0x7fffffffd5d0 T0)
#0 0x424cf5 in free_comments /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:172
#1 0x424cf5 in free_splinestorage /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:136
#2 0x43b624 in read_splineobject /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:1140
#3 0x43e09f in read_objects /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:383
#4 0x43e09f in readfp_fig /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:172
#5 0x404103 in main /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/fig2dev.c:424
#6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x406038 in _start (/home/woot/Desktop/fig2dev-3.2.7a/fig2dev/fig2dev+0x406038)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:172 free_comments
Proof of concept
fig2dev –L tikz $POC
Timeline
Vendor Disclosure: 2018-08-22
Patch Release: 2018-08-23
Public Disclosure: 2018-08-25
Credit
Discovered by ACE Team - Loginsoft