oss-sec mailing list archives
Re: libcroco: heap overflow and undefined behavior
From: Marcus Meissner <meissner () suse de>
Date: Mon, 24 Apr 2017 14:46:05 +0200
On Sun, Apr 23, 2017 at 12:42:04PM +0200, Agostino Sarubbo wrote:
Description: libcroco is a Generic Cascading Style Sheet (CSS) parsing and manipulation toolkit.
...
# csslint-0.6 $FILE /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr- tknzr.c:1283:15: runtime error: value 9.11111e+19 is outside the range of representable values of type 'long' Commit fix: https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Reproducer: https://github.com/asarubbo/poc/blob/master/00268-libcroco-outside-long CVE: CVE-2017-7961 Affected version: 0.6.11 and 0.6.12 Fixed version: 0.6.13 (not released atm)
This is not a security issue in my view. The conversion surely is truncating the double into a long value, but there is no impact as the value is one of the RGB components. Ciao, Marcus
Current thread:
- libcroco: heap overflow and undefined behavior Agostino Sarubbo (Apr 23)
- Re: libcroco: heap overflow and undefined behavior Marcus Meissner (Apr 24)