← Back to team overview

hugin-devs team mailing list archive

  1. hugin-devs team
  2. Mailing list archive
  3. Message #07644

[Bug 1942836] [NEW] Potential Integer Overflow vulnerability in src/celeste/svm.cpp

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Private security bug reported:

In my fork of Hugin (Hugin++) someone reported the following potential
vulnerability. Since I copied this code from Hugin, I forward the
reporting here. I had a short look at the file svm.cpp and can confirm
that an integer overflow may occure. On Windows variables of type 'int'
have only 32 bits. So a solution may be to test for model->nr_class <=
0xffff .

This is the but report at Hugin++:

There seems to be potential integer overflow vulnerability in src/celeste/svm.cpp.
In line 2862, model->nr_class is read from external source.

(2862) FSCANF(fp,"%d",&model->nr_class);
...
(2867) int n = model->nr_class * (model->nr_class-1)/2;
(2868) model->rho = Malloc(double,n);

If model->nr_class is a large integer that can cause integer overflow in line 2867,
allocation of memory on 2868 may happen with unexpected value.

** Affects: hugin
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Hugin
Developers, which is subscribed to Hugin.
https://bugs.launchpad.net/bugs/1942836

Title:
  Potential Integer Overflow vulnerability in src/celeste/svm.cpp

Status in Hugin:
  New

Bug description:
  In my fork of Hugin (Hugin++) someone reported the following potential
  vulnerability. Since I copied this code from Hugin, I forward the
  reporting here. I had a short look at the file svm.cpp and can confirm
  that an integer overflow may occure. On Windows variables of type
  'int' have only 32 bits. So a solution may be to test for
  model->nr_class <= 0xffff .

  This is the but report at Hugin++:

  There seems to be potential integer overflow vulnerability in src/celeste/svm.cpp.
  In line 2862, model->nr_class is read from external source.

  (2862) FSCANF(fp,"%d",&model->nr_class);
  ...
  (2867) int n = model->nr_class * (model->nr_class-1)/2;
  (2868) model->rho = Malloc(double,n);

  If model->nr_class is a large integer that can cause integer overflow in line 2867,
  allocation of memory on 2868 may happen with unexpected value.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hugin/+bug/1942836/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next