graphicsmagick: two heap-based buffer overflow in ReadTIFFImage (tiff.c)

Description:
Graphicsmagick is an Image Processing System.

A fuzzing revealed two minor issues in the TIFF parser. Both issues come out from different line in the tiff.c file but the problem seems to be the same.

The complete ASan output:

# gm identify $FILE
==6321==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb12 at pc 0x7fa98ca1fcf4 bp 0x7fff957069a0 sp 0x7fff95706998                                                       
READ of size 1 at 0x60200000eb12 thread T0                                                                                                                                                     
    #0 0x7fa98ca1fcf3 in MagickStrlCpy /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/utility.c:4567:10                                                    
    #1 0x7fa98135de5a in ReadTIFFImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/coders/tiff.c:2060:13                                                       
    #2 0x7fa98c70e06a in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/constitute.c:1607:13                                                     
    #3 0x7fa98c70d6ac in PingImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/constitute.c:1370:9                                                      
    #4 0x7fa98c65f5a0 in IdentifyImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:8372:17                                             
    #5 0x7fa98c663ffb in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:8862:17                                                    
    #6 0x7fa98c6b8ee3 in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:17370:10                                                 
    #7 0x7fa98c6b7b78 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:17423:16                                                       
    #8 0x7fa98b5c061f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #9 0x4188d8 in _init (/usr/bin/gm+0x4188d8)                                                                                                                                                
                                                                                                                                                                                               
0x60200000eb12 is located 0 bytes to the right of 2-byte region [0x60200000eb10,0x60200000eb12)                                                                                                
allocated by thread T0 here:                                                                                                                                                                   
    #0 0x4c01a8 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71                                                     
    #1 0x7fa9810ebe5b in _TIFFCheckRealloc /var/tmp/portage/media-libs/tiff-4.0.6/work/tiff-4.0.6/libtiff/tif_aux.c:73

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/utility.c:4567:10 in MagickStrlCpy


# gm identify $FILE
==26025==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ecf2 at pc 0x7f07a3aaab3c bp 0x7ffc558602c0 sp 0x7ffc558602b8                                                      
READ of size 1 at 0x60300000ecf2 thread T0                                                                                                                                                     
    #0 0x7f07a3aaab3b in MagickStrlCpy /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/utility.c:4557:7                                                     
    #1 0x7f07983e851c in ReadTIFFImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/coders/tiff.c:2048:13                                                       
    #2 0x7f07a3797a62 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/constitute.c:1607:13                                                     
    #3 0x7f07a3796f18 in PingImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/constitute.c:1370:9                                                      
    #4 0x7f07a36e6648 in IdentifyImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:8372:17                                             
    #5 0x7f07a36eb01b in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:8862:17                                                    
    #6 0x7f07a3740a3e in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:17370:10                                                 
    #7 0x7f07a373f5bb in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:17423:16                                                       
    #8 0x7f07a264961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #9 0x4188d8 in _init (/usr/bin/gm+0x4188d8)                                                                                                                                                
                                                                                                                                                                                               
0x60300000ecf2 is located 0 bytes to the right of 18-byte region [0x60300000ece0,0x60300000ecf2)                                                                                               
allocated by thread T0 here:                                                                                                                                                                   
    #0 0x4bfe28 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                      
    #1 0x7f0798178fd4 in setByteArray /var/tmp/portage/media-libs/tiff-4.0.6/work/tiff-4.0.6/libtiff/tif_dir.c:51                                                                              
                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/utility.c:4557:7 in MagickStrlCpy

Affected version:
1.3.24 (and maybe past)

Fixed version:
1.3.25 (not yet released)

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/eb58028dacf5

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-17: bug discovered
2016-08-18: bug reported privately to upstream
2016-08-19: upstream released a patch
2016-08-23: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

graphicsmagick: two heap-based buffer overflow in ReadTIFFImage (tiff.c)

Posted in advisories, gentoo, security | Leave a comment

libav: stack-based buffer overflow in aac_sync (aac_parser.c)

Description:
Libav is an open source set of tools for audio and video processing.

A crafted file causes a stack-based buffer overflow. The ASan report may be confused because it mentions get_bits, but the issue is in aac_sync.
This issue was discovered the past year, I reported it to Luca Barbato privately and I didn’t follow the state.
Before I made the report, the bug was noticed by Janne Grunau because the fate test reported a failure, then he fixed it, but at that time there wasn’t no stable release(s) that included the fix.

The complete ASan output:

~ # avconv -i $FILE -f null -
==20736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd3bd34f4a at pc 0x7f0805611189 bp 0x7ffd3bd34e20 sp 0x7ffd3bd34e18
READ of size 4 at 0x7ffd3bd34f4a thread T0
    #0 0x7f0805611188 in get_bits /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/get_bits.h:244:5
    #1 0x7f0805611188 in avpriv_aac_parse_header /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/aacadtsdec.c:58
    #2 0x7f080560f19e in aac_sync /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/aac_parser.c:43:17
    #3 0x7f080560a87b in ff_aac_ac3_parse /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/aac_ac3_parser.c:48:25
    #4 0x7f0806fcd8e6 in av_parser_parse2 /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/parser.c:157:13
    #5 0x7f0808efd4dd in parse_packet /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:794:15
    #6 0x7f0808edae64 in read_frame_internal /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:960:24
    #7 0x7f0808ee8783 in avformat_find_stream_info /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:2156:15
    #8 0x4f62f6 in open_input_file /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:726:11
    #9 0x4f474f in open_files /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:2127:15
    #10 0x4f3f62 in avconv_parse_options /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:2164:11
    #11 0x528727 in main /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2629:11
    #12 0x7f0803c83aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #13 0x43a5d6 in _start (/usr/bin/avconv+0x43a5d6)

Address 0x7ffd3bd34f4a is located in stack of thread T0 at offset 170 in frame
    #0 0x7f080560ee3f in aac_sync /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/aac_parser.c:31

  This frame has 3 object(s):
    [32, 64) 'bits'
    [96, 116) 'hdr'
    [160, 168) 'tmp' 0x10002779e9e0: 00 00 04 f2 f2 f2 f2 f2 00[f3]f3 f3 00 00 00 00                                                                                                                                                                                                              
  0x10002779e9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x10002779ea00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1                                                                                                                                                                                                              
  0x10002779ea10: 00 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x10002779ea20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x10002779ea30: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  
  Heap left redzone:       fa                                                                                                                                                                                                                                                  
  Heap right redzone:      fb                                                                                                                                                                                                                                                  
  Freed heap region:       fd                                                                                                                                                                                                                                                  
  Stack left redzone:      f1                                                                                                                                                                                                                                                  
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                                                  
  Stack partial redzone:   f4                                                                                                                                                                                                                                                  
  Stack after return:      f5                                                                                                                                                                                                                                                  
  Stack use after scope:   f8                                                                                                                                                                                                                                                  
  Global redzone:          f9                                                                                                                                                                                                                                                  
  Global init order:       f6                                                                                                                                                                                                                                                  
  Poisoned by user:        f7                                                                                                                                                                                                                                                  
  Container overflow:      fc                                                                                                                                                                                                                                                  
  Array cookie:            ac                                                                                                                                                                                                                                                  
  Intra object redzone:    bb                                                                                                                                                                                                                                                  
  ASan internal:           fe                                                                                                                                                                                                                                                  
  Left alloca redzone:     ca                                                                                                                                                                                                                                                  
  Right alloca redzone:    cb                                                                                                                                                                                                                                                  
==20736==ABORTING                                                                                                                                                                                                                                                              

Affected version:
11.3 (and maybe past versions)

Fixed version:
11.5

Commit fix:
https://git.libav.org/?p=libav.git;a=commit;h=fb1473080223a634b8ac2cca48a632d037a0a69d

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was also discovered by Janne Grunau.

CVE:
N/A

Timeline:
2015-07-27: bug discovered
2015-07-28: bug reported privately to upstream
2016-08-20: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.
A same fix, was applied to another part of (similar) code in the ac3_parser.c file.

Permalink:

libav: stack-based buffer overflow in aac_sync (aac_parser.c)

Posted in advisories, gentoo, security | Leave a comment

potrace: multiple (three) NULL pointer dereference in bm_readbody_bmp (bitmap_io.c)

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A crafted images (bmp) revealed, through a fuzz testing, the presence of three NULL pointer access.

The complete ASan output:

ASAN:SIGSEGV
=================================================================
==13806==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004f027c bp 0x7ffd8442c190 sp 0x7ffd8442bfc0 T0)
    #0 0x4f027b in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:717:4
    #1 0x4f027b in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f2f77104aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:717 bm_readbody_bmp
==13806==ABORTING


ASAN:SIGSEGV
=================================================================
==13812==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004f0958 bp 0x7ffd1e689a50 sp 0x7ffd1e689880 T0)
    #0 0x4f0957 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:744:4
    #1 0x4f0957 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7fbc3b936aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:744 bm_readbody_bmp
==13812==ABORTING


ASAN:SIGSEGV
=================================================================
==13885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004f10b8 bp 0x7ffdf745fff0 sp 0x7ffdf745fe20 T0)
    #0 0x4f10b7 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:651:11
    #1 0x4f10b7 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7fc675763aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:651 bm_readbody_bmp
==13885==ABORTING

Affected version:
1.12

Fixed version:
1.13

Commit fix:
There is no public git/svn repository, If you need the single patches, feel free to ask.

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2015-07-04: bug discovered
2015-07-05: bug reported privately to upstream
2015-10-22: upstream realeased 1.13
2016-08-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

potrace: multiple (three) NULL pointer dereference in bm_readbody_bmp (bitmap_io.c)

Posted in advisories, gentoo, security | Leave a comment

potrace: divide-by-zero in bm_new (bitmap.h)

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A crafted image (bmp) revealed, through a fuzz testing, the presence of a division by zero.

The complete ASan output:

# potrace $FILE.bmp
ASAN:DEADLYSIGNAL
=================================================================
==25102==ERROR: AddressSanitizer: FPE on unknown address 0x000000508d52 (pc 0x000000508d52 bp 0x7ffc381edff0 sp 0x7ffc381ede20 T0)
    #0 0x508d51 in bm_new /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap.h:63:24
    #1 0x508d51 in bm_readbody_bmp /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:548
    #2 0x508d51 in bm_read /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #3 0x4fe12d in process_file /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #4 0x4f82af in main /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #5 0x7f8d6729e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419018 in getenv (/usr/bin/potrace+0x419018)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap.h:63:24 in bm_new
==25102==ABORTING

Affected version:
1.12

Fixed version:
1.13

Commit fix:
There is no public git/svn repository, If you need the single patches, feel free to ask.

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2015-07-04: bug discovered
2015-07-05: bug reported privately to upstream
2015-10-22: upstream realeased 1.13
2016-08-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

potrace: divide-by-zero in bm_new (bitmap.h)

Posted in advisories, gentoo, security | Leave a comment

potrace: multiple(six) heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c)

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A crafted images (bmp) revealed, through a fuzz testing, the presence of SIX heap-based buffer overflow.

To avoid to make the post much long, I splitted the ASan output to leave only the relevant trace.

==13565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000a2fc at pc 0x0000004f370a bp 0x7ffd81d22f90 sp 0x7ffd81d22f88
READ of size 4 at 0x61100000a2fc thread T0
    #0 0x4f3709 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:717:4
    #1 0x4f3709 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f9a1c8f4aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:717 bm_readbody_bmp


==13663==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe4 at pc 0x0000004f3729 bp 0x7fff07737d30 sp 0x7fff07737d28
READ of size 4 at 0x60200000efe4 thread T0
    #0 0x4f3728 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:651:11
    #1 0x4f3728 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f3adde99aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:651 bm_readbody_bmp


==13618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000f00c at pc 0x0000004f37a9 bp 0x7ffc33e306b0 sp 0x7ffc33e306a8
READ of size 4 at 0x60300000f00c thread T0
    #0 0x4f37a8 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:652:11
    #1 0x4f37a8 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f20147f7aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:652 bm_readbody_bmp


==13624==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe8 at pc 0x0000004f382a bp 0x7fff60b8bed0 sp 0x7fff60b8bec8
READ of size 4 at 0x60200000efe8 thread T0
    #0 0x4f3829 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:690:4
    #1 0x4f3829 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129                                                                                       
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9                                                                                    
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7                                                                                            
    #4 0x7f35633d5aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289                                                                        
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)                                                                                                                                          
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:690 bm_readbody_bmp                                                  
                                                                                                                                                                                               
                                                                                                                                                                                               
==13572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f018 at pc 0x0000004f38d5 bp 0x7ffc994b68d0 sp 0x7ffc994b68c8                                                      
READ of size 4 at 0x60200000f018 thread T0                                                                                                                                                     
    #0 0x4f38d4 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:744:4                                                                             
    #1 0x4f38d4 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f11b6253aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:744 bm_readbody_bmp


==13753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe8 at pc 0x0000004f3948 bp 0x7fff4f6df6b0 sp 0x7fff4f6df6a8
READ of size 4 at 0x60200000efe8 thread T0
    #0 0x4f3947 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:601:2
    #1 0x4f3947 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f26d3d28aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:601 bm_readbody_bmp

Affected version:
1.12

Fixed version:
1.13

Commit fix:
There is no public git/svn repository, If you need the single patches, feel free to ask.

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2015-07-04: bug discovered
2015-07-05: bug reported privately to upstream
2015-10-22: upstream realeased 1.13
2016-08-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

potrace: multiple(six) heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c)

Posted in advisories, gentoo, security | Leave a comment

WiRouterKeyRec: signed integer overflow in agpf_get_serial (agpf.c)

Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.

A crafted AGPF config shows the presence of a signed integer overflow in agpf_check_agpf.

The complete UBSan output:

# WiRouterKeyRec --config crash.agpf -s Alice-48230959

WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta
http://www.salvatorefresta.net

src/agpf.c:445:17: runtime error: signed integer overflow: 48230959 - -2101480424 cannot be represented in type 'int'

Affected version:
1.1.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-08: bug discovered
2016-08-08: bug reported to upstream
2016-08-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

WiRouterKeyRec: signed integer overflow in agpf_get_serial (agpf.c)

Posted in advisories, gentoo, security | Leave a comment

WiRouterKeyRec: signed shift in agpf_check_agpf (agpf.c)

Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.

A crafted AGPF config shows the presence of a signed shift in agpf_check_agpf

The complete UBSan output:

# WiRouterKeyRec --config crash.agpf -s Alice-48230959

WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta
http://www.salvatorefresta.net

src/agpf.c:466:45: runtime error: left shift of 142 by 24 places cannot be represented in type 'int'

Affected version:
1.1.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-08: bug discovered
2016-08-08: bug reported to upstream
2016-08-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

WiRouterKeyRec: signed shift in agpf_check_agpf (agpf.c)

Posted in advisories, gentoo, security | Leave a comment

libav: heap-based buffer overflow in ff_audio_resample (resample.c)

Description:
Libav is an open source set of tools for audio and video processing.

A crafted file can cause an overflow in the heap. This bug was discovered the last year, but I didn’t have time to do anything else.
Now, after more digging I discovered that it was reported independently by nfxjfg on the libav bugtracker.
He triggered the crash with a C program using the libav api; the difference with this crash resides in the size of the write out of the bound. In his case it is of 4.
In any case, the commit address both the issues.

The complete ASan output:

# avconv -i $file -f null -
==501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b0e0 at pc 0x0000004aab36 bp 0x7ffc0c199fd0 sp 0x7ffc0c199780
WRITE of size 2 at 0x60800000b0e0 thread T0
    #0 0x4aab35 in __asan_memcpy /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435:3
    #1 0x7fb0ce8c7a49 in ff_audio_resample /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavresample/resample.c:444:21
    #2 0x7fb0ce8cfa3e in avresample_convert /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavresample/utils.c:449:15
    #3 0x7fb0d291c8de in request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/af_resample.c:197:15
    #4 0x7fb0d292c578 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:254:16
    #5 0x7fb0d292c648 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:256:16
    #6 0x7fb0d294c6ad in request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/fifo.c:234:20
    #7 0x7fb0d292c578 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:254:16
    #8 0x7fb0d29414f3 in av_buffersink_get_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/buffersink.c:69:16
    #9 0x540f19 in poll_filter /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:663:15
    #10 0x540f19 in poll_filters /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:747
    #11 0x538eab in transcode /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2492:15
    #12 0x538eab in main /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2646
    #13 0x7fb0cd2e4aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #14 0x43a5d6 in _start (/usr/bin/avconv+0x43a5d6)

0x60800000b0e0 is located 0 bytes to the right of 64-byte region [0x60800000b0a0,0x60800000b0e0)
allocated by thread T0 here:
    #0 0x4c1f4c in __interceptor_posix_memalign /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3
    #1 0x7fb0ce21aa16 in av_malloc /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavutil/mem.c:81:9
    #2 0x7fb0ce2401ef in av_samples_alloc /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavutil/samplefmt.c:171:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c107fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9600: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c107fff9610: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c107fff9620: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c107fff9630: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c107fff9640: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c107fff9650: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c107fff9660: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==501==ABORTING                                                                                                                                                                                                                                                 

Affected version:
11.3 (and maybe past versions)

Fixed version:
11.4

Commit fix:
https://git.libav.org/?p=libav.git;a=commit;h=0ac8ff618c5e6d878c547a8877e714ed728950ce

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was reported independently and in a different way by nfxjfg in the libav bugtracker.

CVE:
CVE-2016-6832

Timeline:
2015-07-27: bug discovered
2016-08-07: blog post about the issue
2016-08-18: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.

Permalink:

libav: heap-based buffer overflow in ff_audio_resample (resample.c)

Posted in advisories, gentoo, security | 2 Comments

WiRouterKeyRec: divide-by-zero in agpf_get_serial (agpf.c)

Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.

A crafted AGPF config causes a divide-by-zero in agpf_get_serial.

The complete ASan output:

WiRouterKeyRec --config crash.agpf -s Alice-48230959  

WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta
http://www.salvatorefresta.net

ASAN:DEADLYSIGNAL
=================================================================
==27225==ERROR: AddressSanitizer: FPE on unknown address 0x0000005019fc (pc 0x0000005019fc bp 0x7fffe1f6fbe0 sp 0x7fffe1f6fa00 T0)
    #0 0x5019fb in agpf_get_serial /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20
    #1 0x5019fb in agpf_get_config /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:355                                                                       
    #2 0x4f510f in wr_get_keys /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:480:28                                                              
    #3 0x4f2238 in main /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:307:18                                                                     
    #4 0x7fdbc7f6161f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #5 0x418c28 in getenv (/usr/bin/WiRouterKeyRec+0x418c28)                                                                                                                                   
                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                              
SUMMARY: AddressSanitizer: FPE /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20 in agpf_get_serial                                                     
==27225==ABORTING

Affected version:
1.1.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-08-05: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

WiRouterKeyRec: divide-by-zero in agpf_get_serial (agpf.c)

Posted in advisories, gentoo, security | Leave a comment

logrotate: heap-based buffer overflow in readConfigFile (config.c)

Description:
logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.

A crafted config causes an out-of-bounds read in readConfigFile.
The complete ASan output:

logrotate -d $crafted_file
=================================================================
==809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000df8f at pc 0x00000050b244 bp 0x7ffd4cab50f0 sp 0x7ffd4cab50e8
READ of size 1 at 0x60200000df8f thread T0
    #0 0x50b243 in readConfigFile /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969:11
    #1 0x4fa61b in readConfigPath /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:578:6
    #2 0x4f99a7 in readAllConfigPaths /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:645:6
    #3 0x4f193e in main /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/logrotate.c:2554:6
    #4 0x7f37cad0662f in __libc_start_main (/lib64/libc.so.6+0x2062f)
    #5 0x436988 in _start (/usr/sbin/logrotate+0x436988)

0x60200000df8f is located 1 bytes to the left of 1-byte region [0x60200000df90,0x60200000df91)
allocated by thread T0 here:
    #0 0x4bd952 in __interceptor_malloc (/usr/sbin/logrotate+0x4bd952)
    #1 0x7f37cad67359 in strndup (/lib64/libc.so.6+0x81359)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969 readConfigFile
Shadow bytes around the buggy address:
  0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9bf0: fa[fa]01 fa fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c047fff9c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c10: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff9c20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c30: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9c40: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==809==ABORTING

Affected version:
3.9.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-05-05: bug discovered
2016-05-06: bug reported to upstream (github)
2016-08-03: no upstream response
2016-08-03: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

logrotate: heap-based buffer overflow in readConfigFile (config.c)

Posted in advisories, gentoo, security | Leave a comment