NULL pointer dereference in fig2dev 3.2.7a
Loginsoft-2018-1005
August 23, 2018
CWE
CWE-476: NULL Pointer Dereference
Product Details
Xfig is a free and open-source vector graphics editor which runs under the X Window System on most UNIX-compatible platforms. fig2dev is a library used by Xfig package to translate fig code to other graphical languages (tikz, shape, jpeg, png etc.)
URL: https://sourceforge.net/projects/mcj/
Vulnerable Versions
fig2dev 3.2.7a
Vulnerability Details
A NULL pointer dereference was discovered in fig2dev 3.2.7 version.
SYNOPSIS
``` /* first control point is needed twice for the first segment */ COPY_CONTROL_POINT(p2, s2, p1->next, s1->next); [1] if (p2->next == NULL) { [2] COPY_CONTROL_POINT(p3, s3, p2, s2); } else { ```
Similar to #report10, while parsing the .fig file, when it attempts to read the objects, specifically spline object by calling read_splineobject(), inside create_line_with_spline() function is being called by passing in the structure `s` which when used by the compute_open_spline() function which contains few spline drawing routines utilizes a macro COPY_CONTROL_POINT, which attempts to swap few values [1], leaving the value of p2 as NULL.
Later the code in an if block, while dereferencing the p2 structure member `p2->next` [2], a segmentation fault is being triggered as a result of accessing an invalid memory address creating a NULL dereference issue.
Analysis
$rax : 0x0 $rbx : 0x7fffffffd600 → 0x00007fffffffda40 → 0x00007fffffffda70 → 0x00007fffffffdbd0 → 0x00007fffffffdc00 → 0x00007fffffffdc30 → 0x00007fffffffdd10 → 0x0000000000516090 $rcx : 0x0 $rdx : 0x0 $rsp : 0x7fffffffd4e0 → 0x000060800000bf28 → 0x0000000000000000 $rbp : 0x7fffffffd550 → 0x00007fffffffd630 → 0x00007fffffffda70 → 0x00007fffffffdbd0 → 0x00007fffffffdc00 → 0x00007fffffffdc30 → 0x00007fffffffdd10 → 0x0000000000516090 $rsi : 0x0 $rdi : 0x7ffff715fed0 → 0x0000000000000001 $rip : 0x423650 → <compute_open_spline+779> mov rax, QWORD PTR [rax+0x8] 0x423644 <compute_open_spline+767> mov rdi, rax 0x423647 <compute_open_spline+770> call 0x4022b0 <__asan_report_load8@plt> 0x42364c <compute_open_spline+775> mov rax, QWORD PTR [rbp-0x30] → 0x423650 <compute_open_spline+779> mov rax, QWORD PTR [rax+0x8] 0x423654 <compute_open_spline+783> test rax, rax 0x423657 <compute_open_spline+786> jne 0x42366b <compute_open_spline+806> 0x423659 <compute_open_spline+788> mov rax, QWORD PTR [rbp-0x30] 0x42365d <compute_open_spline+792> mov QWORD PTR [rbp-0x28], rax 0x423661 <compute_open_spline+796> mov rax, QWORD PTR [rbp-0x18] gef➤ bt #0 0x0000000000423650 in compute_open_spline (spline=0x60800000bf20, precision=0.5) at trans_spline.c:193 #1 0x0000000000426667 in create_line_with_spline (s=0x60800000bf20) at trans_spline.c:494 #2 0x0000000000420c76 in read_splineobject (fp=0x61600000fc80) at read.c:1207 #3 0x0000000000419669 in read_objects (fp=0x61600000fc80, obj=0x7fffffffdc80) at read.c:383 #4 0x0000000000418841 in readfp_fig (fp=0x61600000fc80, obj=0x7fffffffdc80) at read.c:172 #5 0x000000000041872a in read_fig (file_name=0x7fffffffe1e9 "/home/woot/Desktop/xfig/ou/crashes/id:000001,sig:11,src:000027,op:flip1,pos:76", obj=0x7fffffffdc80) at read.c:142 #6 0x0000000000410ea4 in main (argc=0x4, argv=0x7fffffffddf8) at fig2dev.c:424
ASAN Output
ASAN:SIGSEGV ================================================================= ==75521==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000044562d bp 0x000000000000 sp 0x7fffffffd4d0 T0) #0 0x44562c (/usr/local/bin/fig2dev+0x44562c) #1 0x446c68 (/usr/local/bin/fig2dev+0x446c68) #2 0x43b3db (/usr/local/bin/fig2dev+0x43b3db) #3 0x43e09f (/usr/local/bin/fig2dev+0x43e09f) #4 0x404103 (/usr/local/bin/fig2dev+0x404103) #5 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #6 0x406038 (/usr/local/bin/fig2dev+0x406038)
Proof of concept
fig2dev –L tikz $POC
Timeline
Vendor Disclosure: 2018-08-23
Patch Release: 2018-08-24
Public Disclosure: 2018-08-25
Credit
Discovered by ACE Team – Loginsoft