autotrace CVE-2016-7392

To: team@security.debian.org, debian-lts@lists.debian.org
Subject: autotrace CVE-2016-7392
From: Brian May <brian@linuxpenguins.xyz>
Date: Mon, 12 Sep 2016 08:30:57 +1000
Message-id: <[🔎] 87vay2nk66.fsf@prune.linuxpenguins.xyz>

Hello,

Have had a look at CVE-2016-7392 in autotrace, from a quick glance at
source code, the code does:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);

Which I believe is the same as:

XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1);

i.e. the code leaves room for one byte at the end. However we store a
(char *) at the very end. Which I think might be more then one byte:

pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL;

So possibly that expression should be:

XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + (sizeof(char *)));

Regards
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: autotrace CVE-2016-7392
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: wheezy update for libav
Next by Date: Re: wheezy update for libav
Previous by thread: Re: wheezy update for libav
Next by thread: Re: autotrace CVE-2016-7392
Index(es):
- Date
- Thread