mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c)

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A fuzzing revealed a strcpy-param-overlap.

The complete ASan output:

# mujstest $FILE
==26843==ERROR: AddressSanitizer: strcpy-param-overlap: memory ranges [0x0000013c5d40,0x0000013c62ed) and [0x0000013c6285, 0x0000013c6832) overlap
    #0 0x473129 in __interceptor_strcpy /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:545
    #1 0x4f7910 in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:353:6
    #2 0x7f8af37a961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8)

0x0000013c6140 is located 0 bytes to the right of global variable 'filename' defined in 'platform/x11/jstest_main.c:15:13' (0x13c5d40) of size 1024
0x0000013c6285 is located 5 bytes inside of global variable 'getline_buffer' defined in 'platform/x11/jstest_main.c:24:13' (0x13c6280) of size 4096
SUMMARY: AddressSanitizer: strcpy-param-overlap /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:545 in __interceptor_strcpy
==26843==ABORTING

Affected version:
1.9a

Fixed version:
2.0 (not yet released)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=cfe8f35bca61056363368c343be36812abde0a06

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-09-22: upstream released a patch
2016-09-25: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c)

Posted in advisories, security | Leave a comment

mupdf: mujstest: global-buffer-overflow in main (jstest_main.c)

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A fuzzing revealed a global buffer overflow write.

The complete ASan output:

# mujstest $FILE
=================================================================
==2244==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013c6140 at pc 0x000000473526 bp 0x7fff866f77d0 sp 0x7fff866f6f80
WRITE of size 1181 at 0x0000013c6140 thread T0
    #0 0x473525 in __interceptor_strcpy /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:547
    #1 0x4f7910 in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:353:6
    #2 0x7f3a6c18661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8)

0x0000013c6140 is located 0 bytes to the right of global variable 'filename' defined in 'platform/x11/jstest_main.c:15:13' (0x13c5d40) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:547 in __interceptor_strcpy
Shadow bytes around the buggy address:
  0x000080270bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080270c20: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9
  0x000080270c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270c40: f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080270c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2244==ABORTING

Affected version:
1.9a

Fixed version:
2.0 (not yet released)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=cfe8f35bca61056363368c343be36812abde0a06

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-09-22: upstream released a patch
2016-09-24: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: mujstest: global-buffer-overflow in main (jstest_main.c)

Posted in advisories, security | Leave a comment

mupdf: mujstest: global-buffer-overflow in my_getline (jstest_main.c)

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A fuzzing revealed a global buffer overflow write.

The complete ASan output:

# mujstest $FILE
==1278==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013c7280 at pc 0x0000004fa432 bp 0x7ffea75837d0 sp 0x7ffea75837c8
WRITE of size 1 at 0x0000013c7280 thread T0
    #0 0x4fa431 in my_getline /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:214:5
    #1 0x4fa431 in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:335
    #2 0x7fb62229661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8)

0x0000013c7280 is located 0 bytes to the right of global variable 'getline_buffer' defined in 'platform/x11/jstest_main.c:24:13' (0x13c6280) of size 4096
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:214:5 in my_getline
Shadow bytes around the buggy address:
  0x000080270e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080270e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080270e50:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270e90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080270ea0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1278==ABORTING

Affected version:
1.9a

Fixed version:
2.0 (not yet released)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=446097f97b71ce20fa8d1e45e070f2e62676003e

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-09-22: upstream released a patch
2016-09-24: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: mujstest: global-buffer-overflow in my_getline (jstest_main.c)

Posted in advisories, security | Leave a comment

mupdf: use-after-free in pdf_to_num (pdf-object.c)

Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.

A fuzzing through mutool revealed a use-after-free.

The complete ASan output:

# mutool info $FILE
==5430==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ea42 at pc 0x7fbc4c3824e5 bp 0x7ffee68ead70 sp 0x7ffee68ead68                                                                                                                                       
READ of size 1 at 0x60300000ea42 thread T0                                                                                                                                                                                                                                    
    #0 0x7fbc4c3824e4 in pdf_to_num /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/pdf/pdf-object.c:375:35                                                                                                                                                       
    #1 0x53f042 in gatherfonts /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:259:46                                                                                                                                                             
    #2 0x53f042 in gatherresourceinfo /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:595                                                                                                                                                         
    #3 0x53913a in gatherpageinfo /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:661:2                                                                                                                                                           
    #4 0x53913a in showinfo /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:957                                                                                                                                                                   
    #5 0x537d46 in pdfinfo_info /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:1029:3                                                                                                                                                            
    #6 0x537d46 in pdfinfo_main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:1077                                                                                                                                                              
    #7 0x4f8ace in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/mutool.c:104:12                                                                                                                                                                     
    #8 0x7fbc4ae1f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #9 0x41f9c8 in _init (/usr/bin/mutool+0x41f9c8)                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                              
0x60300000ea42 is located 2 bytes inside of 24-byte region [0x60300000ea40,0x60300000ea58)                                                                                                                                                                                    
freed by thread T0 here:                                                                                                                                                                                                                                                      
    #0 0x4c6c10 in free /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38                                                                                                                                    
    #1 0x7fbc4bf33830 in fz_free /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/fitz/memory.c:187:2                                                                                                                                                              
                                                                                                                                                                                                                                                                              
previously allocated by thread T0 here:                                                                                                                                                                                                                                       
    #0 0x4c6f18 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                                                                                                  
    #1 0x7fbc4bf2a86f in do_scavenging_malloc /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/fitz/memory.c:17:7                                                                                                                                                  
    #2 0x7fbc4bf2a86f in fz_malloc /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/fitz/memory.c:57                                                                                                                                                               
    #3 0x7fbc4c37f94d in pdf_new_indirect /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/pdf/pdf-object.c:186:8                                                                                                                                                  
                                                                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/pdf/pdf-object.c:375:35 in pdf_to_num                                                                                                                              
Shadow bytes around the buggy address:                                                                                                                                                                                                                                        
  0x0c067fff9cf0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa                                                                                                                                                                                                             
  0x0c067fff9d00: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa                                                                                                                                                                                                             
  0x0c067fff9d10: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd                                                                                                                                                                                                             
  0x0c067fff9d20: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c067fff9d30: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
=>0x0c067fff9d40: fa fa 00 00 00 fa fa fa[fd]fd fd fa fa fa fd fd
  0x0c067fff9d50: fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fff9d60: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
  0x0c067fff9d70: fa fa 00 00 00 fa fa fa 00 00 00 06 fa fa 00 00
  0x0c067fff9d80: 01 fa fa fa 00 00 05 fa fa fa 00 00 00 fa fa fa
  0x0c067fff9d90: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5430==ABORTING

Affected version:
1.9a

Fixed version:
1.10 (not yet released)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:

Timeline:
2016-08-05: bug discovered
2016-08-05: bug reported privately to upstream
2016-09-22: upstream released a patch
2016-09-22: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: use-after-free in pdf_to_num (pdf-object.c)

Posted in advisories, security | Leave a comment

mupdf: mutool: infinite loop in gatherresourceinfo (pdfinfo.c)

Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.

A fuzzing through mutool revealed an infinite loop in gatherresourceinfo if mutool tries to get info from a crafted pdf.

The output is a bit cutted because the original is ~1300 lines (because of the loop)

# mutool info $FILE
[cut here]
warning: not a font dict (0 0 R)
ASAN:DEADLYSIGNAL
=================================================================
==8763==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeb34e6f6c (pc 0x7f188e685b2e bp 0x7ffeb34e7410 sp 0x7ffeb34e6ea0 T0)
    #0 0x7f188e685b2d in _IO_vfprintf /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/stdio-common/vfprintf.c:1266
    #1 0x7f188e6888c0 in buffered_vfprintf /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/stdio-common/vfprintf.c:2346
    #2 0x7f188e685cd4 in _IO_vfprintf /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/stdio-common/vfprintf.c:1292
    #3 0x49927f in __interceptor_vfprintf /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1111
    #4 0x499352 in fprintf /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1156
    #5 0x7f188f70f03c in fz_flush_warnings /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/fitz/error.c:18:3
    #6 0x7f188f70f03c in fz_throw /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/fitz/error.c:168
    #7 0x7f188fac98d5 in pdf_parse_ind_obj /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/pdf/pdf-parse.c:565:3
    #8 0x7f188fb5fe6b in pdf_cache_object /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/pdf/pdf-xref.c:2029:13
    #9 0x7f188fb658d2 in pdf_resolve_indirect /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/pdf/pdf-xref.c:2155:12
    #10 0x7f188fbc0a0d in pdf_is_dict /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/pdf/pdf-object.c:268:2
    #11 0x53ea6a in gatherfonts /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:257:8
    #12 0x53ea6a in gatherresourceinfo /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:595
    #13 0x53f31b in gatherresourceinfo /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:603:5
    [cut here]
    #253 0x53f31b in gatherresourceinfo /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/source/tools/pdfinfo.c:603:5

SUMMARY: AddressSanitizer: stack-overflow /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/stdio-common/vfprintf.c:1266 in _IO_vfprintf
==8763==ABORTING
1152.crashes:
PDF-1.4
Pages: 1
Retrieving info from pages 1-1...

Affected version:
1.9a

Fixed version:
1.10 (not yet released)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=fdf71862fe929b4560e9f632d775c50313d6ef02

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-05: bug discovered
2016-08-05: bug reported to upstream
2016-09-22: upstream released a patch
2016-09-22: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: mutool: infinite loop in gatherresourceinfo (pdfinfo.c)

Posted in advisories, security | 3 Comments

libav: divide-by-zero in sbr_make_f_master (aacsbr.c)

Description:
Libav is an open source set of tools for audio and video processing.

A fuzzing with an mp3 file as input discovered a divide-by-zero in sbr_make_f_master.

The complete ASan output:

# avconv -i $FILE -f null -
avconv version 11.7, Copyright (c) 2000-2016 the Libav developers
  built on Aug 16 2016 15:34:42 with clang version 3.8.1 (tags/RELEASE_381/final)
[mpeg @ 0x61a00001f280] Format detected only with low score of 25, misdetection possible!
[aac @ 0x619000000580] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000000580] SBR was found before the first channel element.
ASAN:DEADLYSIGNAL
=================================================================
==29103==ERROR: AddressSanitizer: FPE on unknown address 0x7fbd80295491 (pc 0x7fbd80295491 bp 0x7ffde63eb2f0 sp 0x7ffde63eafa0 T0)
    #0 0x7fbd80295490 in sbr_make_f_master /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:338:57
    #1 0x7fbd80295490 in sbr_reset /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:1045
    #2 0x7fbd80295490 in ff_decode_sbr_extension /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:1093
    #3 0x7fbd801efe1b in decode_extension_payload /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2196:15
    #4 0x7fbd801efe1b in aac_decode_frame_int /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2866
    #5 0x7fbd801d3bbb in aac_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2959:15
    #6 0x7fbd823ed42a in avcodec_decode_audio4 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/utils.c:1657:15
    #7 0x7fbd83f00b20 in try_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavformat/utils.c:1914:19
    #8 0x7fbd83ef76e2 in avformat_find_stream_info /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavformat/utils.c:2276:9
    #9 0x50d195 in open_input_file /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:726:11
    #10 0x50b625 in open_files /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:2127:15
    #11 0x50af81 in avconv_parse_options /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:2164:11
    #12 0x541414 in main /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2630:11
    #13 0x7fbd7e77f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #14 0x41d098 in _init (/usr/bin/avconv+0x41d098)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:338:57 in sbr_make_f_master
==29103==ABORTING

Affected version:
11.7

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-7499

Timeline:
2016-08-15: bug discovered
2016-08-16: bug reported to upstream
2016-09-21: blog post about the issue
2016-09-21: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libav: divide-by-zero in sbr_make_f_master (aacsbr.c)

Posted in advisories, security | Leave a comment

libav: NULL pointer dereference in ff_put_pixels8_xy2_mmx (rnd_template.c)

Description:
Libav is an open source set of tools for audio and video processing.

A fuzzing with an mp3 file as input discovered a null pointer access in ff_put_pixels8_xy2_mmx.

The complete ASan output:

# avconv -i $FILE -f null -
avconv version 11.7, Copyright (c) 2000-2016 the Libav developers
  built on Aug 16 2016 15:34:42 with clang version 3.8.1 (tags/RELEASE_381/final)
[h263 @ 0x61a00001f280] Format detected only with low score of 25, misdetection possible!
[h263 @ 0x619000000580] warning: first frame is no keyframe
[h263 @ 0x619000000580] cbpc damaged at 2 0
[h263 @ 0x619000000580] Error at MB: 2
[h263 @ 0x619000000580] concealing 6336 DC, 6336 AC, 6336 MV errors
[h263 @ 0x61a00001f280] Estimating duration from bitrate, this may be inaccurate
Input #0, h263, from '70.crashes':
  Duration: N/A, bitrate: N/A
    Stream #0.0: Video: h263, yuv420p, 1408x1152 [PAR 12:11 DAR 4:3], 25 fps, 25 tbn, 29.97 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.1.0
    Stream #0.0: Video: rawvideo, yuv420p, 1408x1152 [PAR 12:11 DAR 4:3], q=2-31, 200 kb/s, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc56.1.0 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (h263 (native) -> rawvideo (native))
Press ctrl-c to stop encoding
[h263 @ 0x61900001cc80] warning: first frame is no keyframe
[h263 @ 0x61900001cc80] cbpc damaged at 2 0
[h263 @ 0x61900001cc80] Error at MB: 2
[h263 @ 0x61900001cc80] concealing 6336 DC, 6336 AC, 6336 MV errors
[h263 @ 0x61900001cc80] warning: first frame is no keyframe
[h263 @ 0x61900001cc80] cbpc damaged at 0 0
[h263 @ 0x61900001cc80] Error at MB: 0
[h263 @ 0x61900001cc80] concealing 99 DC, 99 AC, 99 MV errors
Input stream #0:0 frame changed from size:1408x1152 fmt:yuv420p to size:176x144 fmt:yuv420p
[h263 @ 0x61900001cc80] warning: first frame is no keyframe
ASAN:DEADLYSIGNAL
=================================================================
==28973==ERROR: AddressSanitizer: SEGV on unknown address 0x7f22da99ac95 (pc 0x7f22e80d8892 bp 0x7ffcd7c28e90 sp 0x7ffcd7c28e20 T0)
    #0 0x7f22e80d8891 in ff_put_pixels8_xy2_mmx /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/x86/rnd_template.c:37:5
    #1 0x7f22e7217de0 in hpel_motion /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:224:5
    #2 0x7f22e7217de0 in apply_8x8 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:798
    #3 0x7f22e7217de0 in mpv_motion_internal /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:877
    #4 0x7f22e7217de0 in ff_mpv_motion /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:981
    #5 0x7f22e714459b in mpv_decode_mb_internal /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2223:21
    #6 0x7f22e714459b in ff_mpv_decode_mb /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2358
    #7 0x7f22e6056c95 in decode_slice /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:273:13
    #8 0x7f22e60522cd in ff_h263_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:575:11
    #9 0x7f22e79dd906 in avcodec_decode_video2 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/utils.c:1600:19
    #10 0x5647eb in decode_video /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:1259:11
    #11 0x5647eb in process_input_packet /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:1398
    #12 0x550e63 in process_input /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2440:11
    #13 0x550e63 in transcode /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2488
    #14 0x550e63 in main /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2647
    #15 0x7f22e3d7261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #16 0x41d098 in _init (/usr/bin/avconv+0x41d098)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/x86/rnd_template.c:37:5 in ff_put_pixels8_xy2_mmx
==28973==ABORTING

Affected version:
11.7

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-7477

Timeline:
2016-08-15: bug discovered
2016-08-16: bug reported to upstream
2016-09-20: blog post about the issue
2016-09-21: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libav: NULL pointer dereference in ff_put_pixels8_xy2_mmx (rnd_template.c)

Posted in advisories, security | Leave a comment

libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c)

Description:
Libav is an open source set of tools for audio and video processing.

A fuzzing with an mp3 file as input discovered a null pointer access in put_no_rnd_pixels8_xy2_mmx.

The complete ASan output:

# avconv -i $FILE -f null -
avconv version 11.7, Copyright (c) 2000-2016 the Libav developers
  built on Aug 16 2016 15:34:42 with clang version 3.8.1 (tags/RELEASE_381/final)
[h263 @ 0x61a00001f280] Format detected only with low score of 25, misdetection possible!
[IMGUTILS @ 0x7ff589955420] Picture size 0x0 is invalid
[h263 @ 0x619000000580] header damaged
[h263 @ 0x619000000580] Syntax-based Arithmetic Coding (SAC) not supported
[h263 @ 0x619000000580] Independent Segment Decoding not supported
[h263 @ 0x619000000580] warning: first frame is no keyframe
[h263 @ 0x619000000580] cbpc damaged at 0 0
[h263 @ 0x619000000580] Error at MB: 0
[h263 @ 0x619000000580] concealing 1584 DC, 1584 AC, 1584 MV errors
[h263 @ 0x61a00001f280] Estimating duration from bitrate, this may be inaccurate
Input #0, h263, from '9.crashes':
  Duration: N/A, bitrate: N/A
    Stream #0.0: Video: h263, yuv420p, 704x576 [PAR 12:11 DAR 4:3], 25 fps, 25 tbn, 18.73 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.1.0
    Stream #0.0: Video: rawvideo, yuv420p, 704x576 [PAR 12:11 DAR 4:3], q=2-31, 200 kb/s, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc56.1.0 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (h263 (native) -> rawvideo (native))
Press ctrl-c to stop encoding
[h263 @ 0x61900001ea80] warning: first frame is no keyframe
ASAN:DEADLYSIGNAL
=================================================================
==26790==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff584ddb77f (pc 0x7ff5910cdeee bp 0x7ffdc464d7f0 sp 0x7ffdc464d780 T0)
    #0 0x7ff5910cdeed in put_no_rnd_pixels8_xy2_mmx /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/x86/rnd_template.c:37:5
    #1 0x7ff590209de0 in hpel_motion /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:224:5
    #2 0x7ff590209de0 in apply_8x8 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:798
    #3 0x7ff590209de0 in mpv_motion_internal /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:877
    #4 0x7ff590209de0 in ff_mpv_motion /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:981
    #5 0x7ff59013659b in mpv_decode_mb_internal /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2223:21
    #6 0x7ff59013659b in ff_mpv_decode_mb /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2358
    #7 0x7ff58f048c95 in decode_slice /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:273:13
    #8 0x7ff58f0442cd in ff_h263_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:575:11
    #9 0x7ff5909cf906 in avcodec_decode_video2 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/utils.c:1600:19
    #10 0x5647eb in decode_video /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:1259:11
    #11 0x5647eb in process_input_packet /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:1398
    #12 0x550e63 in process_input /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2440:11
    #13 0x550e63 in transcode /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2488
    #14 0x550e63 in main /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2647
    #15 0x7ff58cd6461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #16 0x41d098 in _init (/usr/bin/avconv+0x41d098)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/x86/rnd_template.c:37:5 in put_no_rnd_pixels8_xy2_mmx
==26790==ABORTING

Affected version:
11.7

Fixed version:
N/A

Commit fix:
https://git.libav.org/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-7424

Timeline:
2016-08-15: bug discovered
2016-08-16: bug reported to upstream
2016-09-16: upstream released a patch
2016-09-17: blog post about the issue
2016-09-17: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was reported F4B3CD@STARLAB on 2016-09-12 via libav-security while it was already public since
2016-08-15 on the upstream bugtracker.

Permalink:

libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c)

Posted in advisories, security | Leave a comment

graphicsmagick: memory allocation failure in MagickMalloc (memory.c)

Description:
Graphicsmagick is an Image Processing System.

After the first round of fuzzing where I discovered some slowness issues that make the fuzz hard, the second round revealed a memory allocation failure.

The complete ASan output:

# gm identify $FILE
==20592==ERROR: AddressSanitizer failed to allocate 0x7fff03000 (34358702080) bytes of LargeMmapAllocator (error code: 12)
==20592==Process memory map follows:
        0x000000400000-0x000000522000   /usr/bin/gm
        0x000000722000-0x000000723000   /usr/bin/gm
        0x000000723000-0x000000726000   /usr/bin/gm
        0x000000726000-0x000001399000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x602000000000
        0x602000000000-0x602000010000
        0x602000010000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x604000000000
        0x604000000000-0x604000010000
        0x604000010000-0x606000000000
        0x606000000000-0x606000010000
        0x606000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x608000000000
        0x608000000000-0x608000010000
        0x608000010000-0x60a000000000
        0x60a000000000-0x60a000010000
        0x60a000010000-0x60b000000000
        0x60b000000000-0x60b000010000
        0x60b000010000-0x60c000000000
        0x60c000000000-0x60c000010000
        0x60c000010000-0x60d000000000
        0x60d000000000-0x60d000010000
        0x60d000010000-0x60f000000000
        0x60f000000000-0x60f000010000
        0x60f000010000-0x610000000000
        0x610000000000-0x610000010000
        0x610000010000-0x611000000000
        0x611000000000-0x611000010000
        0x611000010000-0x612000000000
        0x612000000000-0x612000010000
        0x612000010000-0x614000000000
        0x614000000000-0x614000020000
        0x614000020000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x618000000000
        0x618000000000-0x618000020000
        0x618000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x61e000000000
        0x61e000000000-0x61e000020000
        0x61e000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x640000000000
        0x640000000000-0x640000003000
        0x7f889986d000-0x7f889988b000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/sgi.so
        0x7f889988b000-0x7f8899a8a000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/sgi.so
        0x7f8899a8a000-0x7f8899a8b000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/sgi.so
        0x7f8899a8b000-0x7f8899a8c000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/sgi.so
        0x7f8899a8c000-0x7f8899a8e000
        0x7f8899a8e000-0x7f88a0100000   /usr/lib64/locale/locale-archive
        0x7f88a0100000-0x7f88a0200000
        0x7f88a0300000-0x7f88a0400000
        0x7f88a049b000-0x7f88a27ed000
        0x7f88a27ed000-0x7f88a27f6000   /usr/lib64/libltdl.so.7.3.1
        0x7f88a27f6000-0x7f88a29f5000   /usr/lib64/libltdl.so.7.3.1
        0x7f88a29f5000-0x7f88a29f6000   /usr/lib64/libltdl.so.7.3.1
        0x7f88a29f6000-0x7f88a29f7000   /usr/lib64/libltdl.so.7.3.1
        0x7f88a29f7000-0x7f88a2a0c000   /lib64/libz.so.1.2.8
        0x7f88a2a0c000-0x7f88a2c0b000   /lib64/libz.so.1.2.8
        0x7f88a2c0b000-0x7f88a2c0c000   /lib64/libz.so.1.2.8
        0x7f88a2c0c000-0x7f88a2c0d000   /lib64/libz.so.1.2.8
        0x7f88a2c0d000-0x7f88a2c1c000   /lib64/libbz2.so.1.0.6
        0x7f88a2c1c000-0x7f88a2e1b000   /lib64/libbz2.so.1.0.6
        0x7f88a2e1b000-0x7f88a2e1c000   /lib64/libbz2.so.1.0.6
        0x7f88a2e1c000-0x7f88a2e1d000   /lib64/libbz2.so.1.0.6
        0x7f88a2e1d000-0x7f88a2ec4000   /usr/lib64/libfreetype.so.6.12.3
        0x7f88a2ec4000-0x7f88a30c4000   /usr/lib64/libfreetype.so.6.12.3
        0x7f88a30c4000-0x7f88a30ca000   /usr/lib64/libfreetype.so.6.12.3
        0x7f88a30ca000-0x7f88a30cb000   /usr/lib64/libfreetype.so.6.12.3
        0x7f88a30cb000-0x7f88a311f000   /usr/lib64/liblcms2.so.2.0.6
        0x7f88a311f000-0x7f88a331e000   /usr/lib64/liblcms2.so.2.0.6
        0x7f88a331e000-0x7f88a331f000   /usr/lib64/liblcms2.so.2.0.6
        0x7f88a331f000-0x7f88a3324000   /usr/lib64/liblcms2.so.2.0.6
        0x7f88a3324000-0x7f88a34b7000   /lib64/libc-2.22.so
        0x7f88a34b7000-0x7f88a36b7000   /lib64/libc-2.22.so
        0x7f88a36b7000-0x7f88a36bb000   /lib64/libc-2.22.so
        0x7f88a36bb000-0x7f88a36bd000   /lib64/libc-2.22.so
        0x7f88a36bd000-0x7f88a36c1000
        0x7f88a36c1000-0x7f88a36d7000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f88a36d7000-0x7f88a38d6000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f88a38d6000-0x7f88a38d7000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f88a38d7000-0x7f88a38d8000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f88a38d8000-0x7f88a38de000   /lib64/librt-2.22.so
        0x7f88a38de000-0x7f88a3ade000   /lib64/librt-2.22.so
        0x7f88a3ade000-0x7f88a3adf000   /lib64/librt-2.22.so
        0x7f88a3adf000-0x7f88a3ae0000   /lib64/librt-2.22.so
        0x7f88a3ae0000-0x7f88a3af7000   /lib64/libpthread-2.22.so
        0x7f88a3af7000-0x7f88a3cf6000   /lib64/libpthread-2.22.so
        0x7f88a3cf6000-0x7f88a3cf7000   /lib64/libpthread-2.22.so
        0x7f88a3cf7000-0x7f88a3cf8000   /lib64/libpthread-2.22.so
        0x7f88a3cf8000-0x7f88a3cfc000
        0x7f88a3cfc000-0x7f88a3df9000   /lib64/libm-2.22.so
        0x7f88a3df9000-0x7f88a3ff8000   /lib64/libm-2.22.so
        0x7f88a3ff8000-0x7f88a3ff9000   /lib64/libm-2.22.so
        0x7f88a3ff9000-0x7f88a3ffa000   /lib64/libm-2.22.so
        0x7f88a3ffa000-0x7f88a3ffc000   /lib64/libdl-2.22.so
        0x7f88a3ffc000-0x7f88a41fc000   /lib64/libdl-2.22.so
        0x7f88a41fc000-0x7f88a41fd000   /lib64/libdl-2.22.so
        0x7f88a41fd000-0x7f88a41fe000   /lib64/libdl-2.22.so
        0x7f88a41fe000-0x7f88a4a0d000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7f88a4a0d000-0x7f88a4c0d000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7f88a4c0d000-0x7f88a4c3e000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7f88a4c3e000-0x7f88a4cc4000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7f88a4cc4000-0x7f88a4d3f000
        0x7f88a4d3f000-0x7f88a4d61000   /lib64/ld-2.22.so
        0x7f88a4eab000-0x7f88a4ec0000
        0x7f88a4ec0000-0x7f88a4ec7000   /usr/lib64/gconv/gconv-modules.cache
        0x7f88a4ec7000-0x7f88a4eea000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7f88a4eea000-0x7f88a4f54000
        0x7f88a4f54000-0x7f88a4f60000
        0x7f88a4f60000-0x7f88a4f61000   /lib64/ld-2.22.so
        0x7f88a4f61000-0x7f88a4f62000   /lib64/ld-2.22.so
        0x7f88a4f62000-0x7f88a4f63000
        0x7ffe83ea9000-0x7ffe83eca000   [stack]
        0x7ffe83f49000-0x7ffe83f4b000   [vvar]
        0x7ffe83f4b000-0x7ffe83f4d000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==20592==End of process memory map.
==20592==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9aed in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0623 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0811 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d984a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x421bdf in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x421bdf in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x421bdf in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x421bdf in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c01b1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f88a479e12d in MagickMalloc /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/memory.c:156:10
    #10 0x7f88a479e12d in MagickMallocArray /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/memory.c:347
    #11 0x7f8899872d7a in ReadSGIImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/sgi.c:498:19
    #12 0x7f88a4558b13 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1607:13
    #13 0x7f88a4556a94 in PingImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1370:9
    #14 0x7f88a446bb25 in IdentifyImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8375:17
    #15 0x7f88a447197c in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8865:17
    #16 0x7f88a44e96fe in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17379:10
    #17 0x7f88a44e7926 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17432:16
    #18 0x7f88a334461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #19 0x418c88 in _init (/usr/bin/gm+0x418c88)

Affected version:
1.3.25

Fixed version:
1.3.26 (not yet released)

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/c53725cb5449

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-09-09: bug discovered
2016-09-09: bug reported privately to upstream
2016-09-10: no upstream response
2016-09-15: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

graphicsmagick: memory allocation failure in MagickMalloc (memory.c)

Posted in advisories, security | Leave a comment

graphicsmagick: memory allocation failure in ReadPCXImage (pcx.c)

Description:
Graphicsmagick is an Image Processing System.

After the first round of fuzzing where I discovered some slowness issues that make the fuzz hard, the second round revealed a memory allocation failure.

The complete ASan output:

# gm identify $FILE
==10139==ERROR: AddressSanitizer failed to allocate 0x4cd6a6000 (20626169856) bytes of LargeMmapAllocator (error code: 12)                                                                                                                                                     
==10139==Process memory map follows:                                                                                                                                                                                                                                           
        0x000000400000-0x00000051f000   /usr/bin/gm                                                                                                                                                                                                                            
        0x00000071e000-0x00000071f000   /usr/bin/gm                                                                                                                                                                                                                            
        0x00000071f000-0x000000722000   /usr/bin/gm                                                                                                                                                                                                                            
        0x000000722000-0x000001394000                                                                                                                                                                                                                                          
        0x00007fff7000-0x00008fff7000                                                                                                                                                                                                                                          
        0x00008fff7000-0x02008fff7000                                                                                                                                                                                                                                          
        0x02008fff7000-0x10007fff8000                                                                                                                                                                                                                                          
        0x600000000000-0x602000000000                                                                                                                                                                                                                                          
        0x602000000000-0x602000010000                                                                                                                                                                                                                                          
        0x602000010000-0x603000000000                                                                                                                                                                                                                                          
        0x603000000000-0x603000010000                                                                                                                                                                                                                                          
        0x603000010000-0x604000000000                                                                                                                                                                                                                                          
        0x604000000000-0x604000010000                                                                                                                                                                                                                                          
        0x604000010000-0x606000000000                                                                                                                                                                                                                                          
        0x606000000000-0x606000010000                                                                                                                                                                                                                                          
        0x606000010000-0x607000000000                                                                                                                                                                                                                                          
        0x607000000000-0x607000010000                                                                                                                                                                                                                                          
        0x607000010000-0x608000000000                                                                                                                                                                                                                                          
        0x608000000000-0x608000010000                                                                                                                                                                                                                                          
        0x608000010000-0x60a000000000                                                                                                                                                                                                                                          
        0x60a000000000-0x60a000010000                                                                                                                                                                                                                                          
        0x60a000010000-0x60b000000000                                                                                                                                                                                                                                          
        0x60b000000000-0x60b000010000                                                                                                                                                                                                                                          
        0x60b000010000-0x60c000000000                                                                                                                                                                                                                                          
        0x60c000000000-0x60c000010000                                                                                                                                                                                                                                          
        0x60c000010000-0x60f000000000                                                                                                                                                                                                                                          
        0x60f000000000-0x60f000010000                                                                                                                                                                                                                                          
        0x60f000010000-0x610000000000                                                                                                                                                                                                                                          
        0x610000000000-0x610000010000                                                                                                                                                                                                                                          
        0x610000010000-0x611000000000                                                                                                                                                                                                                                          
        0x611000000000-0x611000010000                                                                                                                                                                                                                                          
        0x611000010000-0x612000000000                                                                                                                                                                                                                                          
        0x612000000000-0x612000010000                                                                                                                                                                                                                                          
        0x612000010000-0x614000000000                                                                                                                                                                                                                                          
        0x614000000000-0x614000020000                                                                                                                                                                                                                                          
        0x614000020000-0x616000000000                                                                                                                                                                                                                                          
        0x616000000000-0x616000020000                                                                                                                                                                                                                                          
        0x616000020000-0x618000000000                                                                                                                                                                                                                                          
        0x618000000000-0x618000020000                                                                                                                                                                                                                                          
        0x618000020000-0x619000000000                                                                                                                                                                                                                                          
        0x619000000000-0x619000020000                                                                                                                                                                                                                                          
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x61e000000000
        0x61e000000000-0x61e000020000
        0x61e000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x640000000000
        0x640000000000-0x640000003000
        0x7ff8e8877000-0x7ff8e888c000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
        0x7ff8e888c000-0x7ff8e8a8c000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
        0x7ff8e8a8c000-0x7ff8e8a8d000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
        0x7ff8e8a8d000-0x7ff8e8a8e000   /usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
        0x7ff8e8a8e000-0x7ff8ef100000   /usr/lib64/locale/locale-archive
        0x7ff8ef100000-0x7ff8ef200000
        0x7ff8ef300000-0x7ff8ef400000
        0x7ff8ef4ab000-0x7ff8f17fd000
        0x7ff8f17fd000-0x7ff8f1806000   /usr/lib64/libltdl.so.7.3.1
        0x7ff8f1806000-0x7ff8f1a05000   /usr/lib64/libltdl.so.7.3.1
        0x7ff8f1a05000-0x7ff8f1a06000   /usr/lib64/libltdl.so.7.3.1
        0x7ff8f1a06000-0x7ff8f1a07000   /usr/lib64/libltdl.so.7.3.1
        0x7ff8f1a07000-0x7ff8f1a1c000   /lib64/libz.so.1.2.8
        0x7ff8f1a1c000-0x7ff8f1c1b000   /lib64/libz.so.1.2.8
        0x7ff8f1c1b000-0x7ff8f1c1c000   /lib64/libz.so.1.2.8
        0x7ff8f1c1c000-0x7ff8f1c1d000   /lib64/libz.so.1.2.8
        0x7ff8f1c1d000-0x7ff8f1c2c000   /lib64/libbz2.so.1.0.6
        0x7ff8f1c2c000-0x7ff8f1e2b000   /lib64/libbz2.so.1.0.6
        0x7ff8f1e2b000-0x7ff8f1e2c000   /lib64/libbz2.so.1.0.6
        0x7ff8f1e2c000-0x7ff8f1e2d000   /lib64/libbz2.so.1.0.6
        0x7ff8f1e2d000-0x7ff8f1ed4000   /usr/lib64/libfreetype.so.6.12.3
        0x7ff8f1ed4000-0x7ff8f20d4000   /usr/lib64/libfreetype.so.6.12.3
        0x7ff8f20d4000-0x7ff8f20da000   /usr/lib64/libfreetype.so.6.12.3
        0x7ff8f20da000-0x7ff8f20db000   /usr/lib64/libfreetype.so.6.12.3
        0x7ff8f20db000-0x7ff8f212f000   /usr/lib64/liblcms2.so.2.0.6
        0x7ff8f212f000-0x7ff8f232e000   /usr/lib64/liblcms2.so.2.0.6
        0x7ff8f232e000-0x7ff8f232f000   /usr/lib64/liblcms2.so.2.0.6
        0x7ff8f232f000-0x7ff8f2334000   /usr/lib64/liblcms2.so.2.0.6
        0x7ff8f2334000-0x7ff8f24c7000   /lib64/libc-2.22.so
        0x7ff8f24c7000-0x7ff8f26c7000   /lib64/libc-2.22.so
        0x7ff8f26c7000-0x7ff8f26cb000   /lib64/libc-2.22.so
        0x7ff8f26cb000-0x7ff8f26cd000   /lib64/libc-2.22.so
        0x7ff8f26cd000-0x7ff8f26d1000
        0x7ff8f26d1000-0x7ff8f26e7000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7ff8f26e7000-0x7ff8f28e6000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7ff8f28e6000-0x7ff8f28e7000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7ff8f28e7000-0x7ff8f28e8000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7ff8f28e8000-0x7ff8f28ee000   /lib64/librt-2.22.so
        0x7ff8f28ee000-0x7ff8f2aee000   /lib64/librt-2.22.so
        0x7ff8f2aee000-0x7ff8f2aef000   /lib64/librt-2.22.so
        0x7ff8f2aef000-0x7ff8f2af0000   /lib64/librt-2.22.so
        0x7ff8f2af0000-0x7ff8f2b07000   /lib64/libpthread-2.22.so
        0x7ff8f2b07000-0x7ff8f2d06000   /lib64/libpthread-2.22.so
        0x7ff8f2d06000-0x7ff8f2d07000   /lib64/libpthread-2.22.so
        0x7ff8f2d07000-0x7ff8f2d08000   /lib64/libpthread-2.22.so
        0x7ff8f2d08000-0x7ff8f2d0c000
        0x7ff8f2d0c000-0x7ff8f2e09000   /lib64/libm-2.22.so
        0x7ff8f2e09000-0x7ff8f3008000   /lib64/libm-2.22.so
        0x7ff8f3008000-0x7ff8f3009000   /lib64/libm-2.22.so
        0x7ff8f3009000-0x7ff8f300a000   /lib64/libm-2.22.so
        0x7ff8f300a000-0x7ff8f300c000   /lib64/libdl-2.22.so
        0x7ff8f300c000-0x7ff8f320c000   /lib64/libdl-2.22.so
        0x7ff8f320c000-0x7ff8f320d000   /lib64/libdl-2.22.so
        0x7ff8f320d000-0x7ff8f320e000   /lib64/libdl-2.22.so
        0x7ff8f320e000-0x7ff8f387c000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7ff8f387c000-0x7ff8f3a7b000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7ff8f3a7b000-0x7ff8f3aa3000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7ff8f3aa3000-0x7ff8f3afd000   /usr/lib64/libGraphicsMagick.so.3.15.1
        0x7ff8f3afd000-0x7ff8f3b01000
        0x7ff8f3b01000-0x7ff8f3b23000   /lib64/ld-2.22.so
        0x7ff8f3c79000-0x7ff8f3c8e000
        0x7ff8f3c8e000-0x7ff8f3c95000   /usr/lib64/gconv/gconv-modules.cache
        0x7ff8f3c95000-0x7ff8f3cb8000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7ff8f3cb8000-0x7ff8f3d16000
        0x7ff8f3d16000-0x7ff8f3d22000
        0x7ff8f3d22000-0x7ff8f3d23000   /lib64/ld-2.22.so
        0x7ff8f3d23000-0x7ff8f3d24000   /lib64/ld-2.22.so
        0x7ff8f3d24000-0x7ff8f3d25000
        0x7fffd09c8000-0x7fffd09e9000   [stack]
        0x7fffd09f0000-0x7fffd09f2000   [vvar]
        0x7fffd09f2000-0x7fffd09f4000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==10139==End of process memory map.
==10139==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c973d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0273 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0461 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d949a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42182f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42182f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42182f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x42182f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4bfe01 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7ff8e887beba in ReadPCXImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/pcx.c:467:16
    #10 0x7ff8f34a4c4e in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1607:13
    #11 0x7ff8f34a4294 in PingImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1370:9
    #12 0x7ff8f33f5836 in IdentifyImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8375:17
    #13 0x7ff8f33f9e23 in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8865:17
    #14 0x7ff8f344fc3e in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17379:10
    #15 0x7ff8f344e5d1 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17432:16
    #16 0x7ff8f235461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #17 0x4188d8 in _init (/usr/bin/gm+0x4188d8)

Affected version:
1.3.25

Fixed version:
1.3.26 (not yet released)

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/b9edafd479b9

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-09-09: bug discovered
2016-09-09: bug reported privately to upstream
2016-09-10: no upstream response
2016-09-15: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

graphicsmagick: memory allocation failure in ReadPCXImage (pcx.c)

Posted in advisories, security | Leave a comment