Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 13 Sep 2016 08:02:56 +1000
From: Brian May <>
Subject: Re: autotrace: out-of-bounds write

Agostino Sarubbo <> writes:

> with Address Sanitizer I found that each bmp you try to manage with autotrace 
> causes an out-of-bounds write.
> Details:

I have had a look at CVE-2016-7392 in autotrace, in Debian wheezy. From
a quick glance at source code, the code does:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);

Which I believe is the same as:

XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1);

i.e. the code leaves room for one byte at the end. However we store a
(char *) at the very end. Which I think might be more then one byte:

pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL;

My testing indicates the problem goes away if you change the line to:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1));
Brian May <>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ