‘Graphviz Buffer Overflow Code Execution’
Summary
‘Graphviz is ‘an open-source multi-platform graph visualization software. It takes a description of graphs in a simple text format (DOT language), and makes diagrams out of it in several useful formats (including SVG)’.
Credit:
‘The information has been provided by Roee Hay.
The original article can be found at: http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html‘
Details
‘Vulnerable Systems:
* Graphviz version 2.20.2
Immune Systems:
* Graphviz version 2.20.3
A vulnerability exists in Graphviz’s parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so.
parser.y (Graphviz 2.20.2):
34: static Agraph_t *Gstack[32];
35: static int GSP;
45: static void push_subg(Agraph_t *g)
46: {
47: G = Gstack[GSP++] = g;
48: }
As it can be seen, no bounds check is performed by the push_svg procedure, allowing one to overflow Gstack by pushing more than 32 (Agraph_t *) elements.
Impact/Severity:
A malicious user can achieve an arbitrary code execution by creating a specially crafted DOT file and convince the victim to render it using Graphviz.
Solution:
A bounds check has been added in order to avoid an overflow, it can be seen in the parser.y file (Graphviz 2.20.3):
34: #define GSTACK_SIZE 64
35: static Agraph_t *Gstack[GSTACK_SIZE];
36: static int GSP;
45:
46: static void push_subg(Agraph_t *g)
47: {
48: if (GSP >= GSTACK_SIZE) {
49: agerr (AGERR, ‘Gstack overflow in graph parsern’); exit(1);
50: }
51: G = Gstack[GSP++] = g;
52: }’