Re: autotrace CVE-2016-7392

To: Brian May <brian@linuxpenguins.xyz>, team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: autotrace CVE-2016-7392
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 12 Sep 2016 02:00:36 +0100
Message-id: <[🔎] 1473642036.2621.29.camel@decadent.org.uk>
In-reply-to: <[🔎] 87vay2nk66.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87vay2nk66.fsf@prune.linuxpenguins.xyz>

On Mon, 2016-09-12 at 08:30 +1000, Brian May wrote:
> Hello,
> 
> Have had a look at CVE-2016-7392 in autotrace, from a quick glance at
> source code, the code does:
> 
> XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);
> 
> Which I believe is the same as:
> 
> XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + 1);
> 
> i.e. the code leaves room for one byte at the end. However we store a
> (char *) at the very end. Which I think might be more then one byte:
> 
> pstoedit_suffix_table[2 * (dd_tmp - dd_start)] = NULL;
> 
> So possibly that expression should be:
> 
> XMALLOC(pstoedit_suffix_table, (sizeof(char *) * 2 * (dd_tmp - dd_start)) + (sizeof(char *)));
> 

Or with only parentheses added:

XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1));
                                                ^                           ^

Ben.

-- 
Ben Hutchings
Klipstein's 4th Law of Prototyping and Production:
                                    A fail-safe circuit will destroy
others.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: autotrace CVE-2016-7392
  - From: Brian May <bam@debian.org>

References:
- autotrace CVE-2016-7392
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: Re: wheezy update for libav
Next by Date: Re: autotrace CVE-2016-7392
Previous by thread: autotrace CVE-2016-7392
Next by thread: Re: autotrace CVE-2016-7392
Index(es):
- Date
- Thread