VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 29, 2021· Updated Aug 4, 2024

CVE-2020-18032

CVE-2020-18032

Description

A heap-buffer-overflow in Graphviz's parse_reclbl function allows arbitrary code execution or DoS via a crafted DOT file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer-overflow in Graphviz's parse_reclbl function allows arbitrary code execution or DoS via a crafted DOT file.

Vulnerability

A heap-buffer-overflow vulnerability exists in Graphviz (commit f8b9e035 and earlier) in the parse_reclbl function in lib/common/shapes.c at line 3311. The bug is triggered when processing a specially crafted DOT file with a record shape and an incomplete label (e.g., label="<"), causing an off-by-null write. Affected versions include Graphviz up to and including commit f8b9e035 [1].

Exploitation

An attacker can exploit this vulnerability by supplying a crafted DOT file to a victim, who then processes it using the dot command or any Graphviz tool that renders record shapes. No authentication or special privileges are required, as the attack vector relies on social engineering to open the malicious file. The crash occurs during the dotLayout call, as demonstrated with the input digraph structs { struct [shape=record,label="<"]; } [1].

Impact

Successful exploitation leads to arbitrary code execution or a denial of service (application crash) due to the heap-buffer-overflow. The attacker can gain control of the process with the privileges of the user running Graphviz, potentially compromising the system [1][4].

Mitigation

A fix was released in Graphviz version 2.47.1; users should upgrade to this version or later. Distributions such as Gentoo have issued updates (GLSA 202107-04) recommending upgrade to >=media-gfx/graphviz-2.47.1 [4]. No workaround is available for unpatched versions [4].

References
  1. [dot]heap-over-flow(off-by-null) in lib/common/shapes.c (#1700) · Issues · graphviz / graphviz · GitLab
  2. Multiple vulnerabilities (GLSA 202107-04) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

84

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Off-by-null (heap-buffer-overflow) in `parse_reclbl` when parsing a malformed record label with an incomplete bracket, writing 1 byte past the end of a 2-byte heap buffer."

Attack vector

An attacker crafts a Graphviz DOT file containing a node with `shape=record` and a malformed `label` attribute (e.g., `label="<"`). When the victim runs `dot` on this file, the `parse_reclbl` function writes 1 byte past the end of a 2-byte heap buffer, causing a heap-buffer-overflow [ref_id=1]. This can lead to arbitrary code execution or a denial of service via application crash [ref_id=1].

Affected code

The vulnerability resides in the `parse_reclbl` function within `lib/common/shapes.c` at line 3311 [ref_id=1]. The crash backtrace shows the call chain: `parse_reclbl` is called by `record_init` (line 3556), which is invoked during node initialization in `common_init_node` and ultimately triggered by `dotLayout` [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory [ref_id=1] identifies the bug as an off-by-null (heap overflow) in `parse_reclbl` at `lib/common/shapes.c:3311`, triggered by a malformed record label. A proper fix would need to add bounds checking in `parse_reclbl` to ensure the parser does not write beyond the allocated buffer when processing incomplete or malformed label syntax.

Preconditions

  • inputVictim must use Graphviz (commit f8b9e035 or earlier) to process a crafted DOT file
  • inputThe crafted file must contain a node with shape=record and a malformed label (e.g., label="<")

Reproduction

Create a file with the following content and run `dot filename`:

``` digraph structs { struct [shape=record,label="<"]; } ```

This triggers a heap-buffer-overflow in `parse_reclbl` at `lib/common/shapes.c:3311`, as confirmed by the ASAN report [ref_id=1].

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.