Vulnerability Spotlight: Walt Disney Per-Face Texture Mapping faceInfoSize Code Execution Vulnerability

This vulnerability was discovered by Tyler Bohan of Cisco Talos.

Executive Summary

Walt Disney PTEX is an open source software application maintained by Walt Disney Animation Studios. It is designed for use in post-production rendering. It allows for the storage of thousands of texture mappings within a single file. This particular software library is in many other software applications such as Pixar’s RenderMan, giving it a large install base. A list of other applications that have incorporated PTEX is available here. Talos has recently discovered a stack-based buffer overflow in PTEX that could potentially allow a remote attacker to execute arbitrary code on affected systems.

Vulnerability Details

Walt Disney Per-Face Texture Mapping faceInfoSize Code Execution Vulnerability (TALOS-2018-0515 / CVE-2018-3835)

This vulnerability manifests when a file is read due to lack of proper parameter checking. When reading in files, the value of the ‘faceInfoSize’ parameter is not properly checked for validity. Reading a file with a specially crafted ‘faceInfoSize’ value could cause an out of bounds write condition resulting in a buffer overflow that could potentially allow code execution. For full technical details regarding this vulnerability, please see the advisory here.

Versions Tested

Walt Disney Animation Studios PTEX 2.2


Walt Disney Animation Studios has released PTEX version 2.1.33 to address this issue. Talos recommends installing this update as quickly as possible on affected systems. As this library has been incorporated in several other applications, it is recommended that they be evaluated to determine if they are also affected by this vulnerability.


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 45502-45503

Article Link: