On Mon, 2016-09-12 at 08:30 +1000, Brian May wrote: > Hello, > > Have had a look at CVE-2016-7392 in autotrace, from a quick glance at > source code, the code does: > > XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1); > > Which I believe is the same as: > > XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1); > > i.e. the code leaves room for one byte at the end. However we store a > (char *) at the very end. Which I think might be more then one byte: > > pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL; > > So possibly that expression should be: > > XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + (sizeof(char *))); > Or with only parentheses added: XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1)); ^ ^ Ben. -- Ben Hutchings Klipstein's 4th Law of Prototyping and Production: A fail-safe circuit will destroy others.
Attachment:
signature.asc
Description: This is a digitally signed message part