[2019-12-13] - Found with Honggfuzz - CVE-2019-19797 Out-of-bounds write in the read_colordef() function, in read.c. Issue can be reproduced by running: ``` fig2dev -L box test03 ``` ``` ==1224== Memcheck, a memory error detector ==1224== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1224== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1224== Command: ./fig2dev -Lbox test03 ==1224== Invalid color definition: 0 1200 600 1200 600 600 :\Ŕâ‡ÔÈ‹žL^ä—ö T#0 600 0 120, setting to black (#00000). ==1224== Invalid write of size 4 ==1224== at 0x123A6C: read_colordef (read.c:488) ==1224== by 0x123A6C: read_objects (read.c:359) ==1224== by 0x123A6C: readfp_fig (read.c:172) ==1224== by 0x118F37: main (fig2dev.c:422) ==1224== Address 0x607cd5a0 is not stack'd, malloc'd or (recently) free'd ==1224== ==1224== ==1224== Process terminating with default action of signal 11 (SIGSEGV) ==1224== Access not within mapped region at address 0x607CD5A0 ==1224== at 0x123A6C: read_colordef (read.c:488) ==1224== by 0x123A6C: read_objects (read.c:359) ==1224== by 0x123A6C: readfp_fig (read.c:172) ==1224== by 0x118F37: main (fig2dev.c:422) ==1224== If you believe this happened as a result of a stack ==1224== overflow in your program's main thread (unlikely but ==1224== possible), you can try to increase the size of the ==1224== main thread stack using the --main-stacksize= flag. ==1224== The main thread stack size used in this run was 8388608. ==1224== ==1224== HEAP SUMMARY: ==1224== in use at exit: 488 bytes in 1 blocks ==1224== total heap usage: 19 allocs, 18 frees, 8,632 bytes allocated ==1224== ==1224== LEAK SUMMARY: ==1224== definitely lost: 0 bytes in 0 blocks ==1224== indirectly lost: 0 bytes in 0 blocks ==1224== possibly lost: 0 bytes in 0 blocks ==1224== still reachable: 488 bytes in 1 blocks ==1224== suppressed: 0 bytes in 0 blocks ==1224== Rerun with --leak-check=full to see details of leaked memory ==1224== ==1224== For lists of detected and suppressed errors, rerun with: -s ==1224== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ```