CVE-2021-32280

Vulnerability

A NULL pointer dereference exists in the function compute_closed_spline() in trans_spline.c in fig2dev versions prior to 3.2.8. When processing a crafted FIG file with an incomplete closed spline, the function dereferences a NULL pointer, leading to a segmentation fault. The vulnerability was promptly addressed in commit f17a3b8 and released in version 3.2.8 [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted FIG file to fig2dev. The attacker needs no special privileges beyond the ability to supply a malicious input file. A command line such as ./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null (or pointing to the malicious file) triggers the crash. The crash occurs during reading of the spline object in read_splineobject(), which calls create_line_with_spline(), ultimately leading to compute_closed_spline() [1].

Impact

Successful exploitation causes a denial of service (DoS) through a segmentation fault, crashing the fig2dev process. The vulnerability does not appear to allow code execution or information disclosure beyond the crash itself, as the NULL pointer dereference results in an immediate program termination via AddressSanitizer or a standard segmentation fault [1].

Mitigation

The vulnerability is fixed in fig2dev version 3.2.8, released on September 20, 2021. Users should upgrade to version 3.2.8 or later. There is no known workaround if upgrading is not possible; care should be taken when processing FIG files from untrusted sources [1][2].