Memory corruption in fig2dev 3.2.7a
August 25, 2018
CWE
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Product Details
Xfig is a free and open-source vector graphics editor which runs under the X Window System on most UNIX-compatible platforms. fig2dev is a library used by Xfig package to translate fig code to other graphical languages (tikz, shape, jpeg, png etc.)
URL: https://sourceforge.net/projects/mcj/
Vulnerable Versions
fig2dev 3.2.7a (Xfig package)
Vulnerability Details
A Memory corruption was discovered in fig2dev 3.2.7a version.
SYNOPSIS
``` static F_spline * read_splineobject(FILE *fp) . . . Spline_malloc(s); [1] s->points = NULL; s->controls = NULL; [2] s->pen = 0; s->fill_style = 0; s->for_arrow = NULL; s->back_arrow = NULL; s->comments = NULL; s->next = NULL; ``` ``` for (d = c; d != NULL; d = n) { n = d->next; [3] free(d); ```
The fig2dev binary when supplied with a .fig file, it attempts to read the fig file by calling read_fig(), which later calls read_objects() to go through the objects available in the fig file. The function read_splineobject() is called in file read.c, which purpose is to read spline objects contains a structure `s`, which is passed to Spline_malloc() initially in the program [1], thereby leaving all members with a junk value as it’ un-initialized. Later the code, most of the members of the structure are being NULLED out [2], which means no more having any junk values but anyhow not all of them.
The member s->comments is left containing the junk value, which is later being passed to free_splinestorage(), internally calling free_comments() function, which when tries to dereference the structure member `d->next` [3], an segmentation fault is being triggered as a result of invalid memory access due to received junk value.
Fix –
As a part of fix, the member s->comments is being NULLED out.
Commit : e0c4b02429116b15ad1568c2c425f06b95b95830
Analysis
#0 0x0000000000424cf6 in free_comments (c=<optimized out>) at free.c:172 #1 free_splinestorage (s=s@entry=0x60800000bf20) at free.c:136 #2 0x000000000043b625 in read_splineobject (fp=fp@entry=0x61600000fc80) at read.c:1140 #3 0x000000000043e0a0 in read_objects (obj=0x7fffffffdc70, fp=0x61600000fc80) at read.c:383 #4 readfp_fig (fp=0x61600000fc80, obj=obj@entry=0x7fffffffdc70) at read.c:172 #5 0x0000000000440237 in read_fig (file_name=<optimized out>, obj=obj@entry=0x7fffffffdc70) at read.c:142 #6 0x0000000000404104 in main (argc=0x4, argv=0x7fffffffddf8) at fig2dev.c:424 gef➤ p s->controls $38 = (struct f_control *) 0x0 gef➤ p s->comments $39 = (struct f_comment *) 0xbebebebebebebebe` gef➤ p d->next Cannot access memory at address 0xbebebebebebebec6
ASAN Output
==115139==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000424cf6 bp 0x60800000bf20 sp 0x7fffffffd5d0 T0) #0 0x424cf5 in free_comments /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:172 #1 0x424cf5 in free_splinestorage /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:136 #2 0x43b624 in read_splineobject /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:1140 #3 0x43e09f in read_objects /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:383 #4 0x43e09f in readfp_fig /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/read.c:172 #5 0x404103 in main /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/fig2dev.c:424 #6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x406038 in _start (/home/woot/Desktop/fig2dev-3.2.7a/fig2dev/fig2dev+0x406038) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/woot/Desktop/fig2dev-3.2.7a/fig2dev/free.c:172 free_comments
Proof of concept
fig2dev –L tikz $POC
Timeline
Vendor Disclosure: 2018-08-22
Patch Release: 2018-08-23
Public Disclosure: 2018-08-25
Credit
Discovered by ACE Team – Loginsoft