Graphviz just released a patch to a critical security issue I reported to them.
The following is the advisory:
BackgroundGraphviz is an open-source multi-platform graph visualization software. It takes a description of graphs in a simple text format (DOT language), and makes diagrams out of it in several useful formats (including SVG).
DescriptionA vulnerability exists in Graphviz's parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so. As it can be seen, no bounds check is performed by the push_subg procedure, allowing one to overflow Gstack by pushing more than 32 (Agraph_t *) elements.
Impact/SeverityA malicious user can achieve an arbitrary code execution by creating a specially crafted DOT file and convince the victim to render it using Graphviz.
Below is a screenshot of a successful exploitation. When the malicious DOT file is rendered, a shellcode which calls the MessageBoxA API is executed: