potrace: multiple(six) heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c)

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A crafted images (bmp) revealed, through a fuzz testing, the presence of SIX heap-based buffer overflow.

To avoid to make the post much long, I splitted the ASan output to leave only the relevant trace.

==13565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000a2fc at pc 0x0000004f370a bp 0x7ffd81d22f90 sp 0x7ffd81d22f88
READ of size 4 at 0x61100000a2fc thread T0
    #0 0x4f3709 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:717:4
    #1 0x4f3709 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f9a1c8f4aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:717 bm_readbody_bmp


==13663==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe4 at pc 0x0000004f3729 bp 0x7fff07737d30 sp 0x7fff07737d28
READ of size 4 at 0x60200000efe4 thread T0
    #0 0x4f3728 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:651:11
    #1 0x4f3728 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f3adde99aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:651 bm_readbody_bmp


==13618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000f00c at pc 0x0000004f37a9 bp 0x7ffc33e306b0 sp 0x7ffc33e306a8
READ of size 4 at 0x60300000f00c thread T0
    #0 0x4f37a8 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:652:11
    #1 0x4f37a8 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f20147f7aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:652 bm_readbody_bmp


==13624==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe8 at pc 0x0000004f382a bp 0x7fff60b8bed0 sp 0x7fff60b8bec8
READ of size 4 at 0x60200000efe8 thread T0
    #0 0x4f3829 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:690:4
    #1 0x4f3829 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129                                                                                       
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9                                                                                    
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7                                                                                            
    #4 0x7f35633d5aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289                                                                        
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)                                                                                                                                          
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:690 bm_readbody_bmp                                                  
                                                                                                                                                                                               
                                                                                                                                                                                               
==13572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f018 at pc 0x0000004f38d5 bp 0x7ffc994b68d0 sp 0x7ffc994b68c8                                                      
READ of size 4 at 0x60200000f018 thread T0                                                                                                                                                     
    #0 0x4f38d4 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:744:4                                                                             
    #1 0x4f38d4 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f11b6253aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:744 bm_readbody_bmp


==13753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe8 at pc 0x0000004f3948 bp 0x7fff4f6df6b0 sp 0x7fff4f6df6a8
READ of size 4 at 0x60200000efe8 thread T0
    #0 0x4f3947 in bm_readbody_bmp /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:601:2
    #1 0x4f3947 in bm_read /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:129
    #2 0x4e6377 in process_file /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1056:9
    #3 0x4e0e08 in main /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/main.c:1212:7
    #4 0x7f26d3d28aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x435f56 in _start (/usr/bin/potrace+0x435f56)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/potrace-1.12/work/potrace-1.12/src/bitmap_io.c:601 bm_readbody_bmp

Affected version:
1.12

Fixed version:
1.13

Commit fix:
There is no public git/svn repository, If you need the single patches, feel free to ask.

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8698
CVE-2016-8699
CVE-2016-8700
CVE-2016-8701
CVE-2016-8702
CVE-2016-8703

Timeline:
2015-07-04: bug discovered
2015-07-05: bug reported privately to upstream
2015-10-22: upstream realeased 1.13
2016-08-08: blog post about the issue
2016-10-16: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

potrace: multiple(six) heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *