I don't have the expertise to know if they are issues with the upstream
Cairo libs or not -- that's just where the memory allocations happen. I'm
merely a dumb user of someone else's genius :-)
I'll put them in a Google Drive folder of the format {stacktrace1.txt,
sample1.guac} for each one. Will reply with the folder once it's ready.
Cheers,
-- Morgon
On Mon, Mar 16, 2020 at 7:55 PM Nick Couchman <[email protected]> wrote:
> On Mon, Mar 16, 2020 at 4:21 PM Morgon Kanter <[email protected]>
> wrote:
>
> > Our fuzzer for guacenc has uncovered a number of integer overflows, stack
> > overflows, and direct memory leaks -- usually centered around Cairo. How
> > would you like us to report them? I can provide backtraces of the stack
> and
> > minimal test cases that should reproduce the issues.
> >
> > Thanks,
> > -- Morgon
> >
>
> If the findings represent security issues (doubtful for something like
> guacenc, but something to think about nonetheless), then please report them
> to the security list:
>
> http://guacamole.apache.org/faq/#security
>
> Otherwise, here is fine. Are the issues in the actual guacenc
> implementation, or in the upstream cairo libraries? If the issues are in
> the upstream cairo libraries then reporting them here won't really do any
> good - they'll need to be reported upstream. Once we determine that there
> actually is a bug in the Guacamole code you can open a JIRA issue for the
> bug(s) and then we (you, us, whoever) can work on resolving them with
> changes to the code.
>
> -Nick
>
