Graphviz Stack Buffer Overflow Code Execution

A vulnerability exists in Graphviz’s parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so.

parser.y (Graphviz 2.20.2):
  
  static Agraph_t *Gstack[32];
  static int GSP; 
  
  static void push_subg(Agraph_t *g)
  {
    G = Gstack[GSP++] = g;
  }

As it can be seen, no bounds check is performed by the push_subg procedure, allowing one to overflow Gstack by pushing more than 32 (Agraph_ *) elements.

A malicious user can achieve an arbitrary code execution by creating a specially crafted DOT file and convince the victim to render it using Graphviz.