CVE-2020-21684
Description
A global buffer overflow in fig2dev 3.2.7b's put_font function causes denial of service via crafted Xfig files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A global buffer overflow in fig2dev 3.2.7b's put_font function causes denial of service via crafted Xfig files.
Vulnerability
A global buffer overflow vulnerability exists in the put_font function within genpict2e.c of fig2dev version 3.2.7b. The issue occurs at line 2229 when processing a specially crafted Xfig file during conversion to the pict2e format. The vulnerability is triggered via the genpict2e_text function, which is called during the rendering of text objects in the figure [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious Xfig file that, when processed by fig2dev, causes an out-of-bounds read in the global buffer. The attack requires no special privileges beyond the ability to supply the crafted file for conversion. The crash occurs during normal file processing, triggered by the sequence of calls from main through gendev_objects and genpict2e_text to put_font [1].
Impact
Successful exploitation results in a denial of service (DoS) due to the program crash. The crash is caused by a global buffer overflow that leads to a read of memory beyond the allocated region. The vulnerability does not appear to allow arbitrary code execution based on available information, but it reliably terminates the fig2dev process, disrupting conversion operations [1].
Mitigation
At the time of this writing, the ticket [1] was closed on 2020-12-21, but no specific fix version was released for fig2dev. Users should check for updated releases of fig2dev (version 3.2.8 or later) that may include a patch. As a workaround, avoid processing untrusted Xfig files with vulnerable versions. No KEV listing is associated with this CVE.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- fig2dev/fig2devdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in put_font at genpict2e.c:2229 allows an out-of-bounds read relative to the texfonts global array."
Attack vector
An attacker provides a specially crafted Xfig file that, when converted to pict2e format by fig2dev, triggers a global-buffer-overflow in `put_font` [ref_id=1]. The overflow occurs during a read operation at `genpict2e.c:2229`, 8 bytes to the left of the global `texfonts` array [ref_id=1]. The attack requires no special privileges — the victim need only run fig2dev to convert the malicious .fig file [ref_id=1].
Affected code
The vulnerability is in the `put_font` function in `genpict2e.c` at line 2229, called from `genpict2e_text` at line 2278 [ref_id=1]. The ASAN report shows a global-buffer-overflow read of size 8 at this location [ref_id=1].
What the fix does
No patch is included in the bundle. The ticket [ref_id=1] reports the bug as reproducible in fig2dev 3.2.7b and in git commit [3065ab], but the ticket was closed without an attached fix or commit resolving the overflow [ref_id=1]. The advisory does not specify remediation steps.
Preconditions
- inputVictim must run fig2dev to convert a .fig file to pict2e format
- inputAttacker must supply a crafted Xfig (.fig) file that triggers the overflow in put_font
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- sourceforge.net/p/mcj/tickets/75/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.