fig2dev heap-buffer overflow

Vulnerability

A heap-buffer-overflow vulnerability exists in create_line_with_spline in trans_spline.c of fig2dev version 3.2.9a [1]. The bug is triggered during the processing of a specially crafted input file (e.g., .poc), specifically when the -L pict2e output format is selected. The overflow occurs at line 585 of trans_spline.c and is caused by improper bounds checking when reading from a heap-allocated array [1].

Exploitation

An attacker with local access to the system can exploit this vulnerability by providing a malformed input file to fig2dev. The user must run fig2dev with the -L pict2e option on this file. No authentication or special privileges beyond local file access are required. The ASAN trace confirms that the crash occurs during the read operation in create_line_with_spline after init_point_array and compute_closed_spline have been called [1].

Impact

Successful exploitation results in a heap-buffer-overflow, likely causing a segmentation fault and crashing the application. This leads to a denial of service (availability impact). The reference shows an AddressSanitizer (ASAN) report confirming a heap-buffer-overflow of 4 bytes. There is no indication of privilege escalation or information disclosure from the available information [1].

Mitigation

As of the provided reference, no official fix or patch has been released for fig2dev 3.2.9a. Users are advised to avoid processing untrusted .fig files with the -L pict2e option until a patch is available. The issue has been reported to the vendor via the SourceForge ticket system [1]. No workaround or CVE-specific fix version is disclosed yet.