VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 16, 2021· Updated Aug 4, 2024

CVE-2020-21532

CVE-2020-21532

Description

A global buffer overflow in fig2dev 3.2.7b's setfigfont function in genepic.c can lead to memory corruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A global buffer overflow in fig2dev 3.2.7b's setfigfont function in genepic.c can lead to memory corruption.

Vulnerability

The vulnerability is a global buffer overflow in the setfigfont function located in genepic.c (line 1239) of fig2dev version 3.2.7b. This occurs when handling specially crafted input. No specific configuration or conditions beyond processing a malicious file are required.

Exploitation

An attacker can trigger the overflow by providing a crafted .fig file or other supported input to fig2dev. No authentication or special privileges are needed; the victim or automated process simply runs fig2dev on the malicious file, leading to the memory corruption as demonstrated by AddressSanitizer [1].

Impact

Successful exploitation results in a global buffer overflow, causing a read of 8 bytes beyond the bounds of a global buffer. This can lead to a crash (denial of service) or potentially allow further memory corruption. The impact is primarily on availability and possibly integrity, though code execution was not proven in the reference [1].

Mitigation

No fixed version was explicitly released as of December 2020. The issue is closed in the ticket but no patch is provided [1]. Users should consider updating to a later version if available (e.g., 3.2.8 or newer) or apply any security patches from the upstream project. If no update exists, limit use of fig2dev to trusted input.

References
  1. Xfig / Tickets / #64 global-buffer-overflow in setfigfont() function

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

23

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds checking in setfigfont() allows reading beyond the texfontseries global array, causing a global-buffer-overflow."

Attack vector

An attacker provides a crafted FIG file that causes fig2dev to call setfigfont() at genepic.c:1239 with an out-of-bounds index into the global texfontseries array (defined in texfonts.c:36) [ref_id=1]. The overflow is a READ of size 8 at an address 40 bytes to the right of texfontseries, which is 8 bytes to the left of the adjacent texfontshape global [ref_id=1]. The crash occurs during normal FIG-to-EPIC conversion when gendev_objects (fig2dev.c:1003) processes the crafted text object [ref_id=1]. No authentication or special privileges are required beyond the ability to supply a malicious FIG file to the fig2dev utility.

Affected code

The vulnerable function is setfigfont() at fig2dev-3.2.7b/fig2dev/dev/genepic.c:1239 [ref_id=1]. The overflow reads from the global array texfontseries defined in texfonts.c:36, which has a size of 48 bytes [ref_id=1]. The call chain is genepic_text() at genepic.c:1312 → setfigfont(), invoked via gendev_objects() in fig2dev.c:1003 [ref_id=1].

What the fix does

The ticket references a fix in commit [3065ab], but the bundle does not include a patch diff or the commit contents [ref_id=1]. The advisory does not specify the exact remediation steps. Based on the nature of the bug, a proper fix would add bounds checking on the font index before accessing the texfontseries array in setfigfont() at genepic.c:1239, ensuring the index does not exceed the array size of 48 bytes (6 elements).

Preconditions

  • inputAttacker must supply a crafted FIG file that triggers the out-of-bounds read in setfigfont()

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.