VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 16, 2021· Updated Aug 4, 2024

CVE-2020-21533

CVE-2020-21533

Description

fig2dev 3.2.7b has a stack buffer overflow in read_textobject() that can be triggered by a crafted FIG file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

fig2dev 3.2.7b has a stack buffer overflow in read_textobject() that can be triggered by a crafted FIG file.

Vulnerability

fig2dev version 3.2.7b contains a stack buffer overflow in the read_textobject function in read.c at line 1378 [1]. The function is called when parsing text objects from FIG files. A specially crafted FIG file can trigger a read of size 1 beyond the bounds of a stack buffer.

Exploitation

An attacker can exploit this vulnerability by providing a malicious FIG file to a user who processes it with fig2dev. No authentication or special privileges are required; the user only needs to open the file. The ASAN trace shows the overflow occurs during the parsing of the file [1].

Impact

The stack buffer overflow can cause a crash (denial of service) and may potentially lead to information disclosure due to the out-of-bounds read. The exact impact depends on the memory layout, but the vulnerability is classified as a stack buffer overflow.

Mitigation

The reference ticket is closed, but no fixed version is explicitly mentioned [1]. Users should avoid processing untrusted FIG files with fig2dev 3.2.7b until a patched version is released.

References
  1. Xfig / Tickets / #59 stack-buffer-overflow in read_textobject() function

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

24

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds checking when reading text object data into a fixed-size stack buffer in read_textobject() allows a stack-buffer-overflow."

Attack vector

An attacker provides a crafted FIG file containing a text object whose data exceeds the size of the stack-allocated buffer 's' (8192 bytes) in read_textobject() [ref_id=1]. When fig2dev processes the file via readfp_fig() -> read_objects() -> read_compoundobject() -> read_textobject(), the oversized input overflows the buffer, as shown by the ASan report at read.c:1378 [ref_id=1]. No authentication or special privileges are required; the victim only needs to open the malicious FIG file with fig2dev.

Affected code

The vulnerable function is read_textobject() in fig2dev/read.c at line 1378 [ref_id=1]. The stack frame allocates a buffer 's' of 8192 bytes (offset 224 to 8416) and a buffer 's_temp' of 8192 bytes (offset 8448 to 16640) [ref_id=1]. The overflow occurs when reading text object data into 's' without sufficient length validation.

What the fix does

The advisory does not include a patch or describe a specific fix [ref_id=1]. The ticket was closed but no code change is shown. To remediate, the read_textobject() function at read.c:1304-1378 must add bounds checking on the input copied into the stack buffer 's' (size 8192 bytes) to prevent overflow when the text object data exceeds that length [ref_id=1].

Preconditions

  • inputVictim must open a crafted FIG file with fig2dev
  • authNo authentication required

Reproduction

Run fig2dev on a crafted FIG file that triggers the overflow in read_textobject() at read.c:1378. The reporter states: "Please run following command to reproduce it" but the exact command and PoC file are not included in the ticket [ref_id=1]. The ASan output confirms the crash occurs at read.c:1378 when processing the malicious input.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.