Description:
potrace is a utility that transforms bitmaps into vector graphics.
A crafted image (bmp) revealed, through a fuzz testing, the presence of a division by zero.
The complete ASan output:
# potrace $FILE.bmp ASAN:DEADLYSIGNAL ================================================================= ==25102==ERROR: AddressSanitizer: FPE on unknown address 0x000000508d52 (pc 0x000000508d52 bp 0x7ffc381edff0 sp 0x7ffc381ede20 T0) #0 0x508d51 in bm_new /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap.h:63:24 #1 0x508d51 in bm_readbody_bmp /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:548 #2 0x508d51 in bm_read /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129 #3 0x4fe12d in process_file /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9 #4 0x4f82af in main /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7 #5 0x7f8d6729e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x419018 in getenv (/usr/bin/potrace+0x419018) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap.h:63:24 in bm_new ==25102==ABORTING
Affected version:
1.12
Fixed version:
1.13
Commit fix:
There is no public git/svn repository, If you need the single patches, feel free to ask.
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8697
Timeline:
2015-07-04: bug discovered
2015-07-05: bug reported privately to upstream
2015-10-22: upstream realeased 1.13
2016-08-08: blog post about the issue
2016-10-16: CVE Assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink: