Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 13 Sep 2016 08:02:56 +1000
From: Brian May <brian@...uxpenguins.xyz>
To: oss-security@...ts.openwall.com
Subject: Re: autotrace: out-of-bounds write

Agostino Sarubbo <ago@...too.org> writes:

> with Address Sanitizer I found that each bmp you try to manage with autotrace 
> causes an out-of-bounds write.
>
> Details:
> https://blogs.gentoo.org/ago/2016/09/10/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c/

I have had a look at CVE-2016-7392 in autotrace, in Debian wheezy. From
a quick glance at source code, the code does:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);

Which I believe is the same as:

XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1);

i.e. the code leaves room for one byte at the end. However we store a
(char *) at the very end. Which I think might be more then one byte:

pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL;

My testing indicates the problem goes away if you change the line to:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1));
-- 
Brian May <brian@...uxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ