Re: potrace
Hi Brian,
> It looks like the bm_new() function, referenced by CVE-2016-8686 has
> been refactored. In particular the size calculation has been moved to a
> getsize function.
>
> Unfortunately the description of CVE-2016-8686 is vague - "A crafted
> image, through a fuzz testing, causes the memory allocation to fail."
>
> Source: http://www.openwall.com/lists/oss-security/2016/10/08/18
>
> I suspect the issue might be that it tries to allocate more memory then
> what you would reasonably expect. In the above message it seems to be
> trying to allocate 8.5GB if I calculated that correctly.
>
> The reproducer file:
>
> brian@prune:/tmp$ ls -l potrace_testcase
> -rw------- 1 brian brian 157 May 9 17:22 potrace_testcase
> brian@prune:/tmp$ file potrace_testcase
> potrace_testcase: PC bitmap, Windows 95/NT4 and newer format, 41 x 1073741825 x 32
> brian@prune:/tmp$
>
> Which I guess is shows the problem. I am not sure if the file is
> 1073741825 pixels along one axis (with very good compression), or if the
> headers have been fudged so it looks like the image is bigger then it
> actually is.
I think this is a crafted file.
By the way, where did you find the reproducer ? I can't find it
anywhere.
Cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
Reply to: