Memory corruption in fig2dev 3.2.7a

August 25, 2018

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Product Details

Xfig is a free and open-source vector graphics editor which runs under the X Window System on most UNIX-compatible platforms. fig2dev is a library used by Xfig package to translate fig code to other graphical languages (tikz, shape, jpeg, png etc.)

URL: https://sourceforge.net/projects/mcj/

Vulnerable Versions

fig2dev 3.2.7a (Xfig package)

Vulnerability Details

A Memory corruption was discovered in fig2dev 3.2.7a version.

 

SYNOPSIS
``` 
static F_spline * 
read_splineobject(FILE *fp) 
. 
. 
. 
Spline_malloc(s); [1] 
s->points = NULL; 
s->controls = NULL; [2] 
s->pen = 0; 
s->fill_style = 0; 
s->for_arrow = NULL; 
s->back_arrow = NULL; 
s->comments = NULL; 
s->next = NULL; 
``` 

``` 
for (d = c; d != NULL; d = n) { 
n = d->next; [3] 
free(d); 
``` 

The fig2dev binary when supplied with a .fig file, it attempts to read the fig file by calling read_fig(), which  later calls read_objects() to go through the objects available in the fig file. The function read_splineobject() is called in file read.c, which purpose is to read spline objects contains a structure `s`, which is passed to Spline_malloc()  initially in the program [1], thereby leaving all members with a junk value as it’ un-initialized. Later the code, most of the members of the structure are being NULLED out [2], which means no more having any junk values but anyhow not all of them.

The member s->comments is left containing the junk value, which is later being passed to free_splinestorage(), internally calling free_comments() function, which when tries to dereference the structure member `d->next` [3], an segmentation fault is being triggered as a result of invalid memory access due to received junk value.

 

Fix –  

As a part of fix, the member s->comments is being NULLED out.

Commit : e0c4b02429116b15ad1568c2c425f06b95b95830

 

Analysis
#0 0x0000000000424cf6 in free_comments (c=<optimized out>) at free.c:172
#1 free_splinestorage (s=s@entry=0x60800000bf20) at free.c:136
#2 0x000000000043b625 in read_splineobject (fp=fp@entry=0x61600000fc80) at read.c:1140
#3 0x000000000043e0a0 in read_objects (obj=0x7fffffffdc70, fp=0x61600000fc80) at read.c:383
#4 readfp_fig (fp=0x61600000fc80, obj=obj@entry=0x7fffffffdc70) at read.c:172
#5 0x0000000000440237 in read_fig (file_name=<optimized out>, obj=obj@entry=0x7fffffffdc70) at read.c:142
#6 0x0000000000404104 in main (argc=0x4, argv=0x7fffffffddf8) at fig2dev.c:424


gef➤  p s->controls
$38 = (struct f_control *) 0x0
gef➤  p s->comments
$39 = (struct f_comment *) 0xbebebebebebebebe`
gef➤  p d->next
Cannot access memory at address 0xbebebebebebebec6


ASAN Output

==115139==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000424cf6 bp 0x60800000bf20 sp 0x7fffffffd5d0 T0)
#0 0x424cf5 in free_comments /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:172
#1 0x424cf5 in free_splinestorage /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:136
#2 0x43b624 in read_splineobject /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:1140
#3 0x43e09f in read_objects /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:383
#4 0x43e09f in readfp_fig /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:172
#5 0x404103 in main /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/fig2dev.c:424
#6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x406038 in _start (/home/woot/Desktop/fig2dev-3.2.7a/fig2dev/fig2dev+0x406038)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:172 free_comments


Proof of concept 

fig2dev –L tikz $POC

 

Timeline

Vendor Disclosure: 2018-08-22

Patch Release: 2018-08-23

Public Disclosure: 2018-08-25

 

Credit

Discovered by ACE Team – Loginsoft