1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
|
diff -u -Naur potrace-1.13/ChangeLog potrace-1.13x/ChangeLog
--- potrace-1.13/ChangeLog 2015-10-22 22:38:04.000000000 -0300
+++ potrace-1.13x/ChangeLog 2017-01-08 02:24:43.453647843 -0400
@@ -1,5 +1,8 @@
ChangeLog
+ (2017/01/07) PS1 - fixed segmentation fault triggered by variable
+ underflow. Fixes CVE-2016-8685 reported by Agostino Sarubbo.
+
v1.13 2015/10/22
(2015/07/18) PS1 - fixed heap overflows, null pointer dereference
bugs and a memory leak. Reported by Agostino Sarubbo.
diff -u -Naur potrace-1.13/src/decompose.c potrace-1.13x/src/decompose.c
--- potrace-1.13/src/decompose.c 2015-09-17 09:20:06.000000000 -0300
+++ potrace-1.13x/src/decompose.c 2017-01-08 02:24:55.670629888 -0400
@@ -432,7 +432,7 @@
x0 = (*xp) & ~(BM_WORDBITS-1);
for (y=*yp; y>=0; y--) {
- for (x=x0; x<bm->w; x+=BM_WORDBITS) {
+ for (x=x0; x<bm->w && x>=0; x+=(unsigned)BM_WORDBITS) {
if (*bm_index(bm, x, y)) {
while (!BM_GET(bm, x, y)) {
x++;
|