[Secure-testing-team] Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz

Wed Nov 8 06:40:29 UTC 2017

Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security

out of bound read while running fig2dev with -L tikz option

Running 'fig2dev -L tikz poc' with the attached file raises out of bound read bug
which may allow a remote attack to cause a denial-of-service attack or information
disclosure with a crafted file.

I expected the program to terminate without segfault, but the program crashes as follow

I sent this to debian security team before, but I didn't get any response.
So I send this to public.

=======================================================
june at june:~/project/analyze/poc/fig2dev/crash1$ fig2dev -L tikz poc
\ifx\XFigwidth\undefined\dimen1=0pt\else\dimen1\XFigwidth\fi
\divide\dimen1 by 1
\ifx\XFigheight\undefined\dimen3=0pt\else\dimen3\XFigheight\fi
\divide\dimen3 by 5
\ifdim\dimen1=0pt\ifdim\dimen3=0pt\dimen1=-9223372036854775808sp\dimen3\dimen1
\else\dimen1\dimen3\fi\else\ifdim\dimen3=0pt\dimen3\dimen1\fi\fi
\tikzpicture[x=+\dimen1, y=+\dimen3]
{\ifx\XFigu\undefined\catcode`\@11
\def\temp{\alloc at 1\dimen\dimendef\insc at unt}\temp\XFigu\catcode`\@12\fi}
\XFigu-9223372036854775808sp
% Uncomment to scale line thicknesses with the same
% factor as width of the drawing.
%\pgfextractx\XFigu{\pgfqpointxy{1}{1}}
\ifdim\XFigu<0pt\XFigu-\XFigu\fi
\clip(91,-1) rectangle (92,4);
\tikzset{inner sep=+0pt, outer sep=+0pt}
Segmentation fault

[debugging]
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff7339d78 in _IO_vfprintf_internal (s=0x7ffff768b600 <_IO_2_1_stdout_>,
format=<optimized out>, ap=ap at entry=0x7fffffffde88) at vfprintf.c:1637
#2  0x00007ffff7340157 in __fprintf (stream=<optimized out>,
format=format at entry=0x5555555cc7e5 "\\normalfont%s ") at fprintf.c:32
#3  0x00005555555b4615 in put_font (t=0x555555810160) at gentikz.c:1725
#4  gentikz_text (t=0x555555810160) at gentikz.c:1769
#5  0x00005555555618cd in gendev_objects (dev=0x5555557f8ec0 <dev_tikz>, objects=0x7fffffffdfa0)
at fig2dev.c:833
#6  main (argc=<optimized out>, argv=<optimized out>) at fig2dev.c:467
(gdb) x/i $rip
=> 0x7ffff7371646 <strlen+38>:  movdqu (%rax),%xmm4
(gdb) i r rax
rax            0x29292922 690563362
(gdb) f 3
#3  0x00005555555b4615 in put_font (t=0x555555810160) at gentikz.c:1725
1725        fprintf(tfp, "\\normalfont%s ",
(gdb) p t->font
$1 = -51
(gdb) p texfonts[-51]
$3 = 0x29292922 <error: Cannot access memory at address 0x29292922>

with attached file, t->font can be set to negative value which causes this bug
[fig2dev/dev/gentikz.c]
1724   else
1725       fprintf(tfp, "\\normalfont%s ",
1726         texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);

=======================================================

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk         1:4.1.4+dfsg-1
ii  libc6        2.24-17
ii  libpng16-16  1.6.34-1
ii  libxpm4      1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.22~dfsg-1
ii  netpbm       2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  <none>

-- no debconf information
-------------- next part --------------

 1  1

1

11 4-51

11 0 5
1
91
1 
c!!!!