oss-sec mailing list archives

Re: autotrace: out-of-bounds write

From: Brian May <brian () linuxpenguins xyz>
Date: Tue, 13 Sep 2016 08:02:56 +1000

Agostino Sarubbo <ago () gentoo org> writes:

with Address Sanitizer I found that each bmp you try to manage with autotrace 
causes an out-of-bounds write.

Details:
https://blogs.gentoo.org/ago/2016/09/10/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c/


I have had a look at CVE-2016-7392 in autotrace, in Debian wheezy. From
a quick glance at source code, the code does:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);

Which I believe is the same as:

XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1);

i.e. the code leaves room for one byte at the end. However we store a
(char *) at the very end. Which I think might be more then one byte:

pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL;

My testing indicates the problem goes away if you change the line to:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1));
-- 
Brian May <brian () linuxpenguins xyz>
https://linuxpenguins.xyz/brian/

Current thread:

autotrace: out-of-bounds write Agostino Sarubbo (Sep 10)
- Re: autotrace: out-of-bounds write cve-assign (Sep 10)
- Re: autotrace: out-of-bounds write Brian May (Sep 12)