CVE-2020-21534

An attacker provides a crafted FIG file that triggers a global-buffer-overflow in the get_line function at read.c:1528 [ref_id=1]. The overflow occurs when the function reads beyond the boundary of the global variable 'gif_colnum' (4 bytes at read.c:80) into adjacent memory, specifically 1 byte to the left of the global 'buf' array (8192 bytes at read.c:81) [ref_id=1]. The bug is reachable through the normal file-processing path: read_fig (read.c:142) calls readfp_fig (read.c:172), which calls read_objects (read.c:278), which invokes get_line [ref_id=1]. No authentication or special privileges are required beyond the ability to supply a malicious FIG file to fig2dev.

The global-buffer-overflow occurs in the get_line function at read.c:1528 [ref_id=1]. The call chain is: main (fig2dev.c:422) → read_fig (read.c:142) → readfp_fig (read.c:172) → read_objects (read.c:278) → get_line (read.c:1528) [ref_id=1]. The adjacent global variables involved are 'gif_colnum' (defined at read.c:80, size 4 bytes) and 'buf' (defined at read.c:81, size 8192 bytes) [ref_id=1].

No patch is included in the bundle. The advisory [ref_id=1] reports the bug in fig2dev 3.2.7b and confirms it is reproducible in the git master branch, but does not provide a fix or remediation guidance. The ticket was closed without an attached patch, so no official fix is documented in the available materials.

The advisory [ref_id=1] states: "Please run following command to reproduce it" but the command itself is not included in the ticket body. The ASan output shows the crash occurs when processing a FIG file through fig2dev. No explicit reproduction steps or PoC file are provided in the bundle.