potrace: invalid memory access in findnext (decompose.c)

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A crafted image revealed, through a fuzz testing, the presence of a invalid memory access.

The complete ASan output:

# potrace $FILE
potrace: warning: 48.crashes: premature end of file                                                                                                                                            
ASAN:DEADLYSIGNAL                                                                                                                                                                              
=================================================================                                                                                                                              
==13940==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd7b865b800 (pc 0x7fd7ec5bcbf4 bp 0x7fff9ebad590 sp 0x7fff9ebad360 T0)                                                            
    #0 0x7fd7ec5bcbf3 in findnext /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11                                                                             
    #1 0x7fd7ec5bcbf3 in getenv /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:478                                                                                  
    #2 0x7fd7ec5c3ed9 in potrace_trace /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/potracelib.c:76:7                                                                         
    #3 0x4fea6e in process_file /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1102:10                                                                                   
    #4 0x4f872b in main /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1250:7                                                                                            
    #5 0x7fd7eb4d961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #6 0x418fc8 in getenv (/usr/bin/potrace+0x418fc8)                                                                                                                                          
                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11 in findnext                                                                   
==13940==ABORTING

Affected version:
1.13

Fixed version:
1.14

Commit fix:
http://potrace.sourceforge.net/patches/potrace-1.13-CVE-2016-8685.patch

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8685

Timeline:
2016-08-26: bug discovered
2016-08-27: bug reported privately to upstream
2016-08-29: blog post about the issue
2016-10-16: CVE Assigned
2017-02-14: upstream released a patch
2017-02-20: upstream released 1.14

Note:
This bug was found with American Fuzzy Lop.

Permalink:

potrace: invalid memory access in findnext (decompose.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *