CVE-2018-16140
Description
A buffer underwrite in fig2dev 3.2.7a's get_line() allows writing before a buffer via a crafted .fig file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer underwrite in fig2dev 3.2.7a's get_line() allows writing before a buffer via a crafted .fig file.
Vulnerability
The vulnerability resides in the get_line() function in read.c of fig2dev version 3.2.7a. When the length of a line (len) is less than 2, the code attempts to access buf[len-2], which results in a write prior to the beginning of the buffer. This condition is triggered by a specially crafted .fig file. The issue is present in version 3.2.7a and likely earlier versions [1].
Exploitation
An attacker can exploit this by providing a malicious .fig file to fig2dev. No authentication or special privileges are required; the user only needs to run fig2dev on the file. During parsing, get_line() is called, and when len is 1, the check buf[len-2] accesses buf[-1], causing a buffer underwrite. The attacker controls the .fig file content to trigger this condition [1].
Impact
Successful exploitation results in a buffer underwrite, leading to memory corruption. This can cause a denial of service or potentially allow arbitrary code execution, depending on the memory layout. The attacker gains the ability to write before the allocated buffer, which may corrupt adjacent data structures [1].
Mitigation
The recommended fix is to add a check in get_line() similar to the one already applied in read_objects(): ensure len > 1 before accessing buf[len-2]. As of the reference, this fix had not been applied to version 3.2.7a. Users should update to a patched version when available or avoid processing untrusted .fig files [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- osv-coords8 versionspkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/transfig&distro=openSUSE%20Tumbleweedpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015
< 3.2.6a-lp151.4.3.1+ 7 more
- (no CPE)range: < 3.2.6a-lp151.4.3.1
- (no CPE)range: < 3.2.6a-lp151.4.3.1
- (no CPE)range: < 3.2.8a-5.1
- (no CPE)range: < 3.2.5e-2.8.2
- (no CPE)range: < 3.2.5e-2.8.2
- (no CPE)range: < 3.2.5e-2.8.2
- (no CPE)range: < 3.2.5e-2.8.2
- (no CPE)range: < 3.2.6a-4.3.51
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- usn.ubuntu.com/3760-1/mitrevendor-advisoryx_refsource_UBUNTU
- lists.debian.org/debian-lts-announce/2020/01/msg00018.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/mcj/tickets/28/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.