[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: potrace

Hi Brian,

> It looks like the bm_new() function, referenced by CVE-2016-8686 has
> been refactored. In particular the size calculation has been moved to a
> getsize function.
> Unfortunately the description of CVE-2016-8686 is vague - "A crafted
> image, through a fuzz testing, causes the memory allocation to fail."
> Source: http://www.openwall.com/lists/oss-security/2016/10/08/18
> I suspect the issue might be that it tries to allocate more memory then
> what you would reasonably expect. In the above message it seems to be
> trying to allocate 8.5GB if I calculated that correctly.
> The reproducer file:
> brian@prune:/tmp$ ls -l potrace_testcase 
> -rw------- 1 brian brian 157 May  9 17:22 potrace_testcase
> brian@prune:/tmp$ file potrace_testcase 
> potrace_testcase: PC bitmap, Windows 95/NT4 and newer format, 41 x 1073741825 x 32
> brian@prune:/tmp$
> Which I guess is shows the problem. I am not sure if the file is
> 1073741825 pixels along one axis (with very good compression), or if the
> headers have been fudged so it looks like the image is bigger then it
> actually is.

I think this is a crafted file.

By the way, where did you find the reproducer ? I can't find it


             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Reply to: