CVE-2019-19555

Vulnerability

A stack-based buffer overflow exists in the read_textobject() function in read.c of fig2dev version 3.2.7b. The vulnerability is caused by an incorrect sscanf() call that does not properly limit the size of data read into a stack buffer, allowing an attacker-controlled input to overflow the buffer [1]. The affected function is invoked when processing text objects within FIG files, meaning any FIG file that includes such objects can trigger the flaw.

Exploitation

An attacker can trigger the overflow by providing a specially crafted FIG file containing a text object with oversized fields. No authentication is required; the user only needs to open the malicious file with fig2dev (e.g., converting it to another format using fig2dev). The reproduction command detailed in the disclosure uses fig2dev without additional flags, indicating that default usage is sufficient [1]. The stack overflow is triggered during parsing by the sscanf call at read.c:1331.

Impact

Successful exploitation leads to stack-based buffer overflow, which can corrupt adjacent memory. This can potentially be leveraged by an attacker to execute arbitrary code or cause a denial of service (crash). The overflow is confirmed by AddressSanitizer's stack-buffer-overflow error [1], and the WRITE of size 628 bytes indicates significant memory corruption. Since fig2dev is commonly used in scripting and automated image processing pipelines, a crafted file could compromise the integrity of the host system.

Mitigation

As of the reference date, no patched version has been released. The ticket was closed on 2019-12-11, but no fix is documented in the provided reference [1]. Users should avoid processing untrusted FIG files with fig2dev 3.2.7b. The project maintainers should release an update that adds proper bounds checking to the sscanf call in read_textobject(). This CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog.