Date: Tue, 13 Sep 2016 08:02:56 +1000 From: Brian May <brian@...uxpenguins.xyz> To: oss-security@...ts.openwall.com Subject: Re: autotrace: out-of-bounds write Agostino Sarubbo <ago@...too.org> writes: > with Address Sanitizer I found that each bmp you try to manage with autotrace > causes an out-of-bounds write. > > Details: > https://blogs.gentoo.org/ago/2016/09/10/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c/ I have had a look at CVE-2016-7392 in autotrace, in Debian wheezy. From a quick glance at source code, the code does: XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1); Which I believe is the same as: XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1); i.e. the code leaves room for one byte at the end. However we store a (char *) at the very end. Which I think might be more then one byte: pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL; My testing indicates the problem goes away if you change the line to: XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1)); -- Brian May <brian@...uxpenguins.xyz> https://linuxpenguins.xyz/brian/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.