VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 16, 2021· Updated Aug 4, 2024

CVE-2020-21531

CVE-2020-21531

Description

A global buffer overflow in fig2dev 3.2.7b's conv_pattern_index function can be triggered by a crafted FIG file, leading to a crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A global buffer overflow in fig2dev 3.2.7b's conv_pattern_index function can be triggered by a crafted FIG file, leading to a crash.

Vulnerability

In fig2dev version 3.2.7b, the conv_pattern_index function in gencgm.c (line 533) contains a global buffer overflow vulnerability [1]. The function reads from a global array without proper bounds checking, allowing an out-of-bounds read when processing a specially crafted FIG file. The issue is triggered during the conversion of FIG files to CGM format.

Exploitation

An attacker can exploit this vulnerability by providing a malicious FIG file to the fig2dev utility. The user must run fig2dev on the crafted file, which causes the conv_pattern_index function to read beyond the bounds of a global array, as demonstrated by the AddressSanitizer output showing a READ of size 4 at an invalid address [1]. No authentication or special privileges are required beyond the ability to supply the input file.

Impact

Successful exploitation results in a denial of service (DoS) due to the application crash caused by the global buffer overflow. The crash is confirmed by the AddressSanitizer report [1]. The impact is limited to availability; there is no indication of code execution or information disclosure from the available references.

Mitigation

As of the latest available information, no official patch has been released for this vulnerability. The ticket on the project's issue tracker is closed but does not mention a fix [1]. Users should avoid processing untrusted FIG files with fig2dev 3.2.7b until a patched version is available. Upgrading to a newer version of fig2dev may address the issue, but no specific fixed version has been identified.

References
  1. Xfig / Tickets / #63 global-buffer-overflow in conv_pattern_index() function

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

23

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check on the pattern index in conv_pattern_index allows reading past the end of the 88-byte map_pattern global array."

Attack vector

An attacker provides a crafted FIG file that causes `conv_pattern_index` to access an index beyond the 88-byte `map_pattern` global array [ref_id=1]. The overflow is a read of 4 bytes at an address 0 bytes to the right of `map_pattern` [ref_id=1]. The bug is triggered during normal processing of the FIG file by fig2dev, requiring no special privileges beyond the ability to supply a malicious input file [ref_id=1].

Affected code

The vulnerability resides in the `conv_pattern_index` function at `gencgm.c:533` [ref_id=1]. The global buffer `map_pattern`, defined at `gencgm.c:138` with a size of 88 bytes, is read beyond its bounds [ref_id=1]. The call chain is `conv_pattern_index` → `hatchindex` (line 543) → `shape` (line 638) → `gencgm_line` (line 1044) [ref_id=1].

What the fix does

No patch is included in the bundle. The ticket [ref_id=1] reports the bug against fig2dev 3.2.7b and notes it is reproducible in git commit [3065ab], but no fix commit or remediation guidance is provided in the reference. The advisory does not specify a resolution.

Preconditions

  • inputAttacker must supply a crafted FIG file that triggers an out-of-bounds index in conv_pattern_index
  • inputThe fig2dev tool must process the malicious FIG file

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.