CVE-2020-21678
Description
A global buffer overflow in genmp.c of fig2dev 3.2.7b allows denial of service via crafted xfig file conversion to mp format.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A global buffer overflow in genmp.c of fig2dev 3.2.7b allows denial of service via crafted xfig file conversion to mp format.
Vulnerability
A global buffer overflow exists in the genmp_writefontmacro_latex function within genmp.c of fig2dev version 3.2.7b. The flaw occurs at line 1274 of the source file and is triggered when converting a specially crafted Xfig file to Metapost (mp) format. No authentication or special privileges are required; the attacker only needs to supply a malicious .fig file to the converter.
Exploitation
An attacker can exploit this vulnerability by providing a crafted Xfig file to the fig2dev utility. When the program processes the file and enters the genmp_writefontmacro_latex code path, an out-of-bounds read of 8 bytes occurs, as demonstrated by the AddressSanitizer output [1]. No user interaction beyond invoking the conversion command is necessary; the attack is triggered automatically during processing.
Impact
Successful exploitation causes a denial of service (DoS) due to the global buffer overflow. The vulnerability is read-based, leading to a crash of the fig2dev process [1]. The impact is limited to availability; no code execution or privilege escalation is implied by available information.
Mitigation
The issue was reported in December 2019 and closed in December 2020 [1]. As of the publication date (2021-08-10), a patched version has not been explicitly identified in the reference. Users should monitor the fig2dev repository for updates or consider avoiding conversion of untrusted Xfig files as a workaround.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- fig2dev/fig2devdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking when accessing the global array `texfontfamily` in `genmp_writefontmacro_latex` allows an out-of-bounds read 8 bytes before the array."
Attack vector
An attacker provides a crafted Xfig file that, when converted to MP format by fig2dev, triggers a global-buffer-overflow in `genmp_writefontmacro_latex` at `genmp.c:1274` [ref_id=1]. The overflow is a READ of size 8 at an address 8 bytes to the left of the global variable `texfontfamily` (defined in `texfonts.c:27:13`) [ref_id=1]. The crash occurs during the `genmp_text` call chain when processing font-related data from the input file [ref_id=1]. No authentication or special privileges are required beyond the ability to supply a malicious `.fig` file to the converter.
Affected code
The vulnerable function is `genmp_writefontmacro_latex` in `genmp.c` at line 1274 [ref_id=1]. It is called from `genmp_text` (genmp.c:1074), which is invoked via `gendev_objects` in `fig2dev.c:1003` [ref_id=1]. The overflow accesses memory 8 bytes before the global array `texfontfamily` defined in `texfonts.c:27:13` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] reports the bug as a ticket but does not provide a fix commit or remediation guidance. The issue was reproducible in both fig2dev 3.2.7b and git commit 3065ab [ref_id=1]. Without a published fix, users should avoid converting untrusted Xfig files with the affected versions.
Preconditions
- inputAttacker must supply a crafted Xfig (.fig) file that triggers the overflow when converted to MP format.
- networkNo network precondition; the attack is local or file-based.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- sourceforge.net/p/mcj/tickets/71/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.