CVE-2020-21680
Description
Stack-based buffer overflow in fig2dev's put_arrow function allows denial of service via a crafted Xfig file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in fig2dev's put_arrow function allows denial of service via a crafted Xfig file.
Vulnerability
A stack-based buffer overflow exists in the put_arrow() function in genpict2e.c of fig2dev version 3.2.7b [1]. The issue occurs during conversion of a specially crafted Xfig file into the pict2e format [1]. The vulnerable code is at line 1191 of genpict2e.c [1].
Exploitation
An attacker can trigger this vulnerability by providing a malicious Xfig file to the fig2dev utility when converting to pict2e format [1]. No special privileges or authentication are required beyond the ability to supply the input file [1]. The crash was reproduced using AddressSanitizer, confirming a stack buffer over-read of 4 bytes [1].
Impact
Successful exploitation leads to a denial of service (DoS) due to the stack buffer overflow [1]. The crash occurs during normal processing of the file, potentially terminating the conversion process [1]. No remote code execution or privilege escalation has been documented for this specific CVE [1].
Mitigation
A fix was implemented in fig2dev's repository; users should upgrade to a version containing the patch [1]. The vendor's ticket for this issue (Tickets #74) was closed on 2020-12-21, indicating the fix was available [1]. Users of version 3.2.7b should update to the latest patched release [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24- fig2dev/fig2devdescription
- osv-coords22 versionspkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/transfig&distro=openSUSE%20Tumbleweedpkg:rpm/suse/transfig&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP3
< 3.2.8b-lp152.6.9.1+ 21 more
- (no CPE)range: < 3.2.8b-lp152.6.9.1
- (no CPE)range: < 3.2.8b-bp153.3.6.3
- (no CPE)range: < 3.2.8a-5.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8b-4.15.1
- (no CPE)range: < 3.2.8b-4.15.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8b-bp152.3.6.2
- (no CPE)range: < 3.2.8b-bp153.3.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stack-buffer-overflow in put_arrow() at genpict2e.c:1191 due to out-of-bounds read of a local variable."
Attack vector
An attacker provides a crafted Xfig file that, when converted to pict2e format by fig2dev, triggers a stack-buffer-overflow in `put_arrow()` [ref_id=1]. The overflow is a READ of 4 bytes beyond the intended stack variable `lx`, occurring at line 1191 of `genpict2e.c` [ref_id=1]. The attack requires no special privileges — the victim need only run fig2dev on the malicious input file, making it a low-complexity denial-of-service vector.
Affected code
The vulnerability is in the `put_arrow()` function in `genpict2e.c` at line 1191, called from `genpict2e_arc` at line 2575 [ref_id=1]. The stack frame at line 1152 allocates local variables including `lx` (offset 64-68) and `points` (offset 80-480), and the ASAN report shows a read of size 4 at offset 72 — between these two variables — indicating an out-of-bounds access [ref_id=1].
What the fix does
The ticket [ref_id=1] reports the bug and notes it was reproducible in git commit [3065ab], but no patch or fix is described in the provided bundle. The advisory does not specify whether a fix was subsequently committed. Without a patch diff, the remediation guidance is limited to avoiding processing untrusted Xfig files with the affected fig2dev version (3.2.7b).
Preconditions
- inputVictim runs fig2dev to convert a crafted Xfig file into pict2e format
- authNo authentication or special privileges required
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- sourceforge.net/p/mcj/tickets/74/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.