This vulnerability was discovered by Tyler Bohan of Cisco Talos.

Executive Summary
Walt Disney PTEX is an open source software application maintained by Walt Disney Animation Studios. It is designed for use in post-production rendering. It allows for the storage of thousands of texture mappings within a single file. This particular software library is in many other software applications such as Pixar's RenderMan, giving it a large install base. A list of other applications that have incorporated PTEX is available here. Talos has recently discovered a stack-based buffer overflow in PTEX that could potentially allow a remote attacker to execute arbitrary code on affected systems.

Vulnerability Details  Walt Disney Per-Face Texture Mapping faceInfoSize Code Execution Vulnerability (TALOS-2018-0515 / CVE-2018-3835)

This vulnerability manifests when a file is read due to lack of proper parameter checking. When reading in files, the value of the 'faceInfoSize' parameter is not properly checked for validity. Reading a file with a specially crafted 'faceInfoSize' value could cause an out of bounds write condition resulting in a buffer overflow that could potentially allow code execution. For full technical details regarding this vulnerability, please see the advisory here.

Versions Tested
Walt Disney Animation Studios PTEX 2.2

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 45502-45503