Re: autotrace CVE-2016-7392
Ben Hutchings <ben@decadent.org.uk> writes:
> Or with only parentheses added:
>
> XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp -
> dd_start) + 1));
Yes, that looks simpler.
Confirmed this fixes the problem, at least on wheezy.
Without patch:
=== cut ===
(wheezy-amd64-default)root@prune:/tmp/brian/tmpZqKBg5/autotrace-0.31.1# valgrind autotrace --output-format=svg /tmp/text3336.png
==3358== Memcheck, a memory error detector
==3358== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==3358== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==3358== Command: autotrace --output-format=svg /tmp/text3336.png
==3358==
==3358== Invalid write of size 8
==3358== at 0x4E45204: pstoedit_suffix_table_init.part.0 (output-pstoedit.c:103)
==3358== by 0x4E452F3: pstoedit_suffix_table_lookup_shallow (output-pstoedit.c:149)
==3358== by 0x4E4C033: at_splines_write (autotrace.c:375)
==3358== by 0x4019C2: main (main.c:161)
==3358== Address 0xa2cfc20 is 880 bytes inside a block of size 881 alloc'd
==3358== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3358== by 0x4E4517B: pstoedit_suffix_table_init.part.0 (output-pstoedit.c:87)
==3358== by 0x4E452F3: pstoedit_suffix_table_lookup_shallow (output-pstoedit.c:149)
==3358== by 0x4E4C033: at_splines_write (autotrace.c:375)
==3358== by 0x4019C2: main (main.c:161)
==3358==
==3358== Invalid read of size 8
==3358== at 0x4E452D1: pstoedit_suffix_table_lookup_shallow (output-pstoedit.c:145)
==3358== by 0x4E4C033: at_splines_write (autotrace.c:375)
==3358== by 0x4019C2: main (main.c:161)
==3358== Address 0xa2cfc20 is 880 bytes inside a block of size 881 alloc'd
==3358== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3358== by 0x4E4517B: pstoedit_suffix_table_init.part.0 (output-pstoedit.c:87)
==3358== by 0x4E452F3: pstoedit_suffix_table_lookup_shallow (output-pstoedit.c:149)
==3358== by 0x4E4C033: at_splines_write (autotrace.c:375)
==3358== by 0x4019C2: main (main.c:161)
==3358==
<?xml version="1.0" standalone="yes"?>
<svg width="124" height="30">
<path style="fill:#000000; stroke:none;" d="M0 0L0 30L124 30L124 0L0 0z"/>
</svg>
==3358==
==3358== HEAP SUMMARY:
==3358== in use at exit: 16,978 bytes in 159 blocks
==3358== total heap usage: 2,586 allocs, 2,427 frees, 1,958,726 bytes allocated
==3358==
==3358== LEAK SUMMARY:
==3358== definitely lost: 9 bytes in 1 blocks
==3358== indirectly lost: 0 bytes in 0 blocks
==3358== possibly lost: 0 bytes in 0 blocks
==3358== still reachable: 16,969 bytes in 158 blocks
==3358== suppressed: 0 bytes in 0 blocks
==3358== Rerun with --leak-check=full to see details of leaked memory
==3358==
==3358== For counts of detected and suppressed errors, rerun with: -v
==3358== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 6 from 6)
=== cut ===
With patch:
=== cut ===
(wheezy-amd64-default)root@prune:/tmp/brian/tmpZqKBg5/autotrace-0.31.1# valgrind autotrace --output-format=svg /tmp/text3336.png
==3546== Memcheck, a memory error detector
==3546== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==3546== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==3546== Command: autotrace --output-format=svg /tmp/text3336.png
==3546==
<?xml version="1.0" standalone="yes"?>
<svg width="124" height="30">
<path style="fill:#000000; stroke:none;" d="M0 0L0 30L124 30L124 0L0 0z"/>
</svg>
==3546==
==3546== HEAP SUMMARY:
==3546== in use at exit: 16,985 bytes in 159 blocks
==3546== total heap usage: 2,586 allocs, 2,427 frees, 1,958,733 bytes allocated
==3546==
==3546== LEAK SUMMARY:
==3546== definitely lost: 9 bytes in 1 blocks
==3546== indirectly lost: 0 bytes in 0 blocks
==3546== possibly lost: 0 bytes in 0 blocks
==3546== still reachable: 16,976 bytes in 158 blocks
==3546== suppressed: 0 bytes in 0 blocks
==3546== Rerun with --leak-check=full to see details of leaked memory
==3546==
==3546== For counts of detected and suppressed errors, rerun with: -v
==3546== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)
=== cut ===
--
Brian May <bam@debian.org>
Reply to: