Re: CVE-2016-8685 in potrace

[Ola Lundqvist <ola@inguza.com>]

Hi Ben

You definitely have a good point there. :-)

// Ola

On 4 April 2017 at 15:23, Ben Hutchings <ben@decadent.org.uk> wrote:
> On Tue, 2017-04-04 at 11:32 +0200, Hugo Lefeuvre wrote:
>> Hi Ben, Ola,
>>
>> > This seems to be a correct optimisation.  Overflow/underflow on signed
>> > arithmetic has undefined behaviour, therefore standard C code will not
>> > allow it to happen and the compiler may rely on that.  If the code does
>> > actually cause an overflow, literally anything can result.
>> >
>> > Thankfully gcc does have an option to support code that relies on
>> > two's-complement wrapping behaviour on signed arithmetic, which is
>> > -fwrapv.  See also the -fno-strict-overflow option.
>>
>> You're right ! Compiling with -fwrapv fixes the problem.
>>
>> Alternatively we could use the attached patch that also seems to fix the
>> problem.
>
> Do you really think this is the only place the code relies on wrapping
> behaviour?
>
> Ben.
>
>> This patch should be sufficient because in this case an integer overflow can
>> only occur if there is a x with
>>
>>  * x < bm->w
>>
>> and
>>
>>  * x + BM_WORDBITS > INT_MAX
>>
>> thus only if bm->w > INT_MAX - BM_WORDBITS.
>>
>> I don't know which solution is the best, but the second solution is probably
>> better for future maintainance.
>>
>> Cheers,
>>  Hugo
>>
> --
> Ben Hutchings
> Humans are not rational beings; they are rationalising beings.
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------