NULL pointer dereference in fig2dev 3.2.7a

NULL pointer dereference in fig2dev 3.2.7a


August 23, 2018


CWE-476: NULL Pointer Dereference

Product Details

Xfig is a free and open-source vector graphics editor which runs under the X Window System on most UNIX-compatible platforms. fig2dev is a library used by Xfig package to translate fig code to other graphical languages (tikz, shape, jpeg, png etc.)


Vulnerable Versions

fig2dev 3.2.7a

Vulnerability Details

A NULL pointer dereference was discovered in fig2dev 3.2.7 version.

/* first control point is needed twice for the first segment */ 
COPY_CONTROL_POINT(p2, s2, p1->next, s1->next); [1] 
if (p2->next == NULL) { [2] 
COPY_CONTROL_POINT(p3, s3, p2, s2); 
} else { 

Similar to #report10, while parsing the .fig file, when it attempts to read the objects, specifically spline object by calling read_splineobject(), inside create_line_with_spline() function is being called by passing in the structure `s` which when used by the compute_open_spline() function which contains few spline drawing routines utilizes a macro COPY_CONTROL_POINT, which attempts to swap few values [1], leaving the  value of p2 as NULL.

Later the code in an if block, while dereferencing the p2 structure member `p2->next` [2], a segmentation fault is being triggered as a result of accessing an invalid memory address creating a NULL dereference issue.

$rax : 0x0 
$rbx : 0x7fffffffd600 → 0x00007fffffffda40 → 0x00007fffffffda70 → 0x00007fffffffdbd0 → 0x00007fffffffdc00 → 0x00007fffffffdc30 → 0x00007fffffffdd10 → 0x0000000000516090
$rcx : 0x0 
$rdx : 0x0 
$rsp : 0x7fffffffd4e0 → 0x000060800000bf28 → 0x0000000000000000
$rbp : 0x7fffffffd550 → 0x00007fffffffd630 → 0x00007fffffffda70 → 0x00007fffffffdbd0 → 0x00007fffffffdc00 → 0x00007fffffffdc30 → 0x00007fffffffdd10 → 0x0000000000516090
$rsi : 0x0 
$rdi : 0x7ffff715fed0 → 0x0000000000000001
$rip : 0x423650 → <compute_open_spline+779> mov rax, QWORD PTR [rax+0x8]

0x423644 <compute_open_spline+767> mov    rdi, rax
 0x423647 <compute_open_spline+770> call   0x4022b0 <__asan_report_load8@plt>
 0x42364c <compute_open_spline+775> mov    rax, QWORD PTR [rbp-0x30]
→   0x423650 <compute_open_spline+779> mov    rax, QWORD PTR [rax+0x8]
 0x423654 <compute_open_spline+783> test   rax, rax
 0x423657 <compute_open_spline+786> jne    0x42366b <compute_open_spline+806>
 0x423659 <compute_open_spline+788> mov    rax, QWORD PTR [rbp-0x30]
 0x42365d <compute_open_spline+792> mov    QWORD PTR [rbp-0x28], rax
 0x423661 <compute_open_spline+796> mov    rax, QWORD PTR [rbp-0x18]

gef➤  bt 
#0  0x0000000000423650 in compute_open_spline (spline=0x60800000bf20, precision=0.5) at trans_spline.c:193
#1  0x0000000000426667 in create_line_with_spline (s=0x60800000bf20) at trans_spline.c:494
#2  0x0000000000420c76 in read_splineobject (fp=0x61600000fc80) at read.c:1207
#3  0x0000000000419669 in read_objects (fp=0x61600000fc80, obj=0x7fffffffdc80) at read.c:383
#4  0x0000000000418841 in readfp_fig (fp=0x61600000fc80, obj=0x7fffffffdc80) at read.c:172
#5  0x000000000041872a in read_fig (file_name=0x7fffffffe1e9 "/home/woot/Desktop/xfig/ou/crashes/id:000001,sig:11,src:000027,op:flip1,pos:76", obj=0x7fffffffdc80) at read.c:142
#6  0x0000000000410ea4 in main (argc=0x4, argv=0x7fffffffddf8) at fig2dev.c:424

ASAN Output
==75521==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000044562d bp 0x000000000000 sp 0x7fffffffd4d0 T0)
#0 0x44562c (/usr/local/bin/fig2dev+0x44562c)
#1 0x446c68 (/usr/local/bin/fig2dev+0x446c68)
#2 0x43b3db (/usr/local/bin/fig2dev+0x43b3db)
#3 0x43e09f (/usr/local/bin/fig2dev+0x43e09f)
#4 0x404103 (/usr/local/bin/fig2dev+0x404103)
#5 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/
#6 0x406038 (/usr/local/bin/fig2dev+0x406038)
Proof of concept

fig2dev –L tikz $POC



Vendor Disclosure: 2018-08-23

Patch Release: 2018-08-24

Public Disclosure: 2018-08-25


Discovered by ACE Team – Loginsoft