[Radiance-general] crashes in radiance from fuzzers
jcupitt at gmail.com
jcupitt at gmail.com
Fri Aug 3 10:32:54 PDT 2018
Thanks Greg!
I made the matching change in my loader:
https://github.com/jcupitt/libvips/commit/0b3565c04d7b3f491126433cd42edeb0618824b6
On Fri, 3 Aug 2018 at 07:58, Greg Ward <gregoryjward at gmail.com> wrote:
>
> Hi John,
>
> I just implemented a check in formatval() against a new #define MAXFMTLEN that should prevent buffer overruns from Radiance header input.
>
> Cheers,
> -Greg
>
> > From: jcupitt at gmail.com
> > Date: July 22, 2018 9:56:24 AM PDT
> >
> > On Sun, 22 Jul 2018 at 13:24, <jcupitt at gmail.com> wrote:
> >> The obvious one is the globmatch() function in header.c -- during file
> >> read, it expands into a 64-byte buffer here:
> >>
> >> https://radiance-online.org/cgi-bin/viewcvs.cgi/ray/src/common/header.c?view=markup#l231
> >
> > Actually, thinking about it again, just changing that 64 into MAXLINE
> > should stop this problem at least. The read routines guarantee that
> > lines can't be longer than MAXLINE, so as long as fs[] is the same
> > size or bigger, it can't overflow. It will increase the amount of
> > stack radiance needs, unfortunately.
> >
> > That's the change I've made in my lib anyway. If the fuzzers find
> > anything else, I'll post a note here.
> >
> > John
>
> _______________________________________________
> Radiance-general mailing list
> Radiance-general at radiance-online.org
> https://www.radiance-online.org/mailman/listinfo/radiance-general
More information about the Radiance-general
mailing list