CVE-2020-21675
Description
Stack-based buffer overflow in fig2dev 3.2.7b genptk_text function allows denial of service via crafted xfig file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in fig2dev 3.2.7b genptk_text function allows denial of service via crafted xfig file.
Vulnerability
A stack-based buffer overflow exists in the genptk_text function in genptk.c (line 618) of fig2dev version 3.2.7b. This flaw is a classic stack-based buffer overflow (CWE-121 [1]). The overflow occurs when converting a specially crafted xfig file to the PTK format using the -L ptk option. The affected code path is reachable when processing fonts in the input file.
Exploitation
An attacker can exploit this vulnerability by supplying a malicious xfig file to a user running fig2dev. No authentication or special network access is required; the attack vector is local or via file download. When the victim executes fig2dev -L ptk input.xfig output.ptk, the crafted file triggers a write of size 1 beyond the bounds of a stack buffer, as reported in the ticket [2]. The exact steps involve constructing a file that causes excessive writing during font handling.
Impact
Successful exploitation results in a denial of service (DoS) due to program crash. The vulnerability allows an attacker to cause fig2dev to terminate abnormally, potentially disrupting workflows. No code execution or privilege escalation is mentioned in the available references; the impact is limited to application availability.
Mitigation
As of the available references, no official patch has been identified for this version. Users are advised to limit the use of fig2dev with untrusted xfig files or consider upgrading to a newer version if a fix becomes available. The ticket [2] is closed but does not specify a fix. Monitor the fig2dev project for updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- fig2dev/fig2devdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stack-buffer-overflow in genptk_text at genptk.c:618 due to writing beyond the bounds of a fixed-size stack buffer 'stfp' (line 521) when converting a specially crafted xfig file into ptk format."
Attack vector
An attacker provides a maliciously crafted xfig file that, when processed by fig2dev's conversion to ptk format, causes the genptk_text function to write past the end of the stack-allocated buffer 'stfp' (size 2048 bytes, offset [32, 2080]) [ref_id=1]. The overflow occurs at genptk.c:618 during a WRITE of size 1, triggered via the normal command-line invocation of fig2dev on the crafted input file [ref_id=1]. No authentication or special network access is required; the attacker only needs to deliver the file to the victim for processing.
Affected code
The vulnerable function is genptk_text in fig2dev/dev/genptk.c, specifically at line 618 [ref_id=1]. The stack buffer 'stfp' is declared at line 521 with a size of 2048 bytes (offset [32, 2080]), and the overflow occurs when writing to this buffer beyond its allocated bounds [ref_id=1]. The call chain is main → gendev_objects (fig2dev.c:1012) → genptk_text (genptk.c:618) [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] reports the stack-buffer-overflow in genptk_text at genptk.c:618 in fig2dev version 3.2.7b (commit 93795dd396730c80e63767dede7777f4cb7dc383) but does not provide a fix or remediation guidance. The ticket was closed without an attached patch, so no official fix is documented in the available references.
Preconditions
- inputVictim runs fig2dev to convert a crafted xfig file into ptk format
- authNo authentication or special privileges required
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- cwe.mitre.org/data/definitions/121.htmlmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/10/msg00002.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/mcj/tickets/78/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.