Possible SEGV (buffer overflow) in libgvc
Steps to reproduce
- Replace
config6a
with the attached (corrupted) version: config6a - Run
osage
Expected Behaviour
Graceful exit or recovery.
Actual Behaviour
Segmentation Fault.
OS Version
Linux Ubuntu 23.04.
Graphviz Version
dot - graphviz version 2.43.0 (0)
Additional info
The problem appears to occur here:
api = token(&nest, &s);
gv_api = gvplugin_api(api); // If api is invalid then gv_api=-1
do {
...
// This function does not expect -1 and will crash (buffer overflow):
bool rc = gvplugin_install(gvc, gv_api, type, quality, package, NULL);
...
} while (nest == 2);
Stack trace:
#0 gvplugin_install (gvc=gvc@entry=0x5555555599f0, api=api@entry=4294967295, typestr=typestr@entry=0x55555555acc4 "device",
quality=0, package=package@entry=0x55555555dbb0, typeptr=typeptr@entry=0x0)
at /build/graphviz-IXUT2l/graphviz-2.42.2/lib/gvc/gvplugin.c:98
#1 0x00007ffff7f36a2b in gvconfig_plugin_install_from_config (s=<optimized out>, gvc=0x5555555599f0)
at /build/graphviz-IXUT2l/graphviz-2.42.2/lib/gvc/gvconfig.c:196
#2 gvconfig (gvc=gvc@entry=0x5555555599f0, rescan=rescan@entry=0 '\000')
at /build/graphviz-IXUT2l/graphviz-2.42.2/lib/gvc/gvconfig.c:554
#3 0x00007ffff7f36b80 in gvContextPlugins (builtins=<optimized out>, demand_loading=1)
at /build/graphviz-IXUT2l/graphviz-2.42.2/lib/gvc/gvc.c:42
#4 0x00005555555555e3 in main (argc=1, argv=0x7fffffffdff8) at /usr/src/graphviz-2.42.2-7build3/cmd/dot/dot.c:100