[Radiance-general] crashes in radiance from fuzzers
Greg Ward
gregoryjward at gmail.com
Thu Aug 2 11:36:19 PDT 2018
Hi John,
I just implemented a check in formatval() against a new #define MAXFMTLEN that should prevent buffer overruns from Radiance header input.
Cheers,
-Greg
> From: jcupitt at gmail.com
> Date: July 22, 2018 9:56:24 AM PDT
>
> On Sun, 22 Jul 2018 at 13:24, <jcupitt at gmail.com> wrote:
>> The obvious one is the globmatch() function in header.c -- during file
>> read, it expands into a 64-byte buffer here:
>>
>> https://radiance-online.org/cgi-bin/viewcvs.cgi/ray/src/common/header.c?view=markup#l231
>
> Actually, thinking about it again, just changing that 64 into MAXLINE
> should stop this problem at least. The read routines guarantee that
> lines can't be longer than MAXLINE, so as long as fs[] is the same
> size or bigger, it can't overflow. It will increase the amount of
> stack radiance needs, unfortunately.
>
> That's the change I've made in my lib anyway. If the fuzzers find
> anything else, I'll post a note here.
>
> John
More information about the Radiance-general
mailing list