oss-sec mailing list archives
Re: autotrace: out-of-bounds write
From: Brian May <brian () linuxpenguins xyz>
Date: Tue, 13 Sep 2016 08:02:56 +1000
Agostino Sarubbo <ago () gentoo org> writes:
with Address Sanitizer I found that each bmp you try to manage with autotrace causes an out-of-bounds write. Details: https://blogs.gentoo.org/ago/2016/09/10/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c/
I have had a look at CVE-2016-7392 in autotrace, in Debian wheezy. From a quick glance at source code, the code does: XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1); Which I believe is the same as: XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1); i.e. the code leaves room for one byte at the end. However we store a (char *) at the very end. Which I think might be more then one byte: pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL; My testing indicates the problem goes away if you change the line to: XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1)); -- Brian May <brian () linuxpenguins xyz> https://linuxpenguins.xyz/brian/
Current thread:
- autotrace: out-of-bounds write Agostino Sarubbo (Sep 10)
- Re: autotrace: out-of-bounds write cve-assign (Sep 10)
- Re: autotrace: out-of-bounds write Brian May (Sep 12)