Red Hat Bugzilla – Bug 951257
CVE-2013-1953 autotrace: buffer overflow when parsing BMP files
Last modified: 2015-08-22 03:00:12 EDT
A buffer overflow flaw was reported in autotrace's input_bmp_reader() function. When autotrace is compiled with FORTIFY_SOURCE, this is caught and turned into a simple denial of service. As reported:
In input-bmp.c, the input_bmp_reader() function creates a buffer on the
91 unsigned char buffer;
169 else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
171 if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))
We control Bitmap_File_Head.biSize. A value of 0 meets the <=64
requirements, and 0 - 4 should result in almost 4294967295 bytes being
read into the buffer.
This issue was discovered by Murray McAllister of Red Hat Security Response Team.
The CVE identifier of CVE-2013-1953 has been assigned to this issue:
Created autotrace tracking bugs for this issue
Affects: fedora-all [bug 952668]
Created attachment 766451 [details]
Proposed fix sent upstream
autotrace-0.31.1-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
autotrace-0.31.1-34.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.