potrace: memory allocation failure in bm_new (bitmap.h)

Posted on August 29, 2016 by ago

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A crafted image, through a fuzz testing, causes the memory allocation to fail.

Asan stacktrace:

# potrace $FILE
==19351==ERROR: AddressSanitizer failed to allocate 0x200003000 (8589946880) bytes of LargeMmapAllocator (error code: 12)
==19351==Process memory map follows:
        0x000000400000-0x00000056d000   /usr/bin/potrace
        0x00000076c000-0x00000076d000   /usr/bin/potrace
        0x00000076d000-0x000000778000   /usr/bin/potrace
        0x000000778000-0x000001401000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x602000000000
        0x602000000000-0x602000010000
        0x602000010000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x640000000000
        0x640000000000-0x640000003000
        0x7f1674c00000-0x7f1674d00000
        0x7f1674e00000-0x7f1674f00000
        0x7f1674fea000-0x7f167733c000
        0x7f167733c000-0x7f16774cf000   /lib64/libc-2.22.so
        0x7f16774cf000-0x7f16776cf000   /lib64/libc-2.22.so
        0x7f16776cf000-0x7f16776d3000   /lib64/libc-2.22.so
        0x7f16776d3000-0x7f16776d5000   /lib64/libc-2.22.so
        0x7f16776d5000-0x7f16776d9000
        0x7f16776d9000-0x7f16776ef000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f16776ef000-0x7f16778ee000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f16778ee000-0x7f16778ef000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f16778ef000-0x7f16778f0000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f16778f0000-0x7f16778f2000   /lib64/libdl-2.22.so
        0x7f16778f2000-0x7f1677af2000   /lib64/libdl-2.22.so
        0x7f1677af2000-0x7f1677af3000   /lib64/libdl-2.22.so
        0x7f1677af3000-0x7f1677af4000   /lib64/libdl-2.22.so
        0x7f1677af4000-0x7f1677afa000   /lib64/librt-2.22.so
        0x7f1677afa000-0x7f1677cfa000   /lib64/librt-2.22.so
        0x7f1677cfa000-0x7f1677cfb000   /lib64/librt-2.22.so
        0x7f1677cfb000-0x7f1677cfc000   /lib64/librt-2.22.so
        0x7f1677cfc000-0x7f1677d13000   /lib64/libpthread-2.22.so
        0x7f1677d13000-0x7f1677f12000   /lib64/libpthread-2.22.so
        0x7f1677f12000-0x7f1677f13000   /lib64/libpthread-2.22.so
        0x7f1677f13000-0x7f1677f14000   /lib64/libpthread-2.22.so
        0x7f1677f14000-0x7f1677f18000
        0x7f1677f18000-0x7f1677f2d000   /lib64/libz.so.1.2.8
        0x7f1677f2d000-0x7f167812c000   /lib64/libz.so.1.2.8
        0x7f167812c000-0x7f167812d000   /lib64/libz.so.1.2.8
        0x7f167812d000-0x7f167812e000   /lib64/libz.so.1.2.8
        0x7f167812e000-0x7f167822b000   /lib64/libm-2.22.so
        0x7f167822b000-0x7f167842a000   /lib64/libm-2.22.so
        0x7f167842a000-0x7f167842b000   /lib64/libm-2.22.so
        0x7f167842b000-0x7f167842c000   /lib64/libm-2.22.so
        0x7f167842c000-0x7f1678443000   /usr/lib64/libpotrace.so.0.0.3
        0x7f1678443000-0x7f1678642000   /usr/lib64/libpotrace.so.0.0.3
        0x7f1678642000-0x7f1678643000   /usr/lib64/libpotrace.so.0.0.3
        0x7f1678643000-0x7f1678644000   /usr/lib64/libpotrace.so.0.0.3
        0x7f1678644000-0x7f1678666000   /lib64/ld-2.22.so
        0x7f16787fd000-0x7f167885a000
        0x7f167885a000-0x7f1678865000
        0x7f1678865000-0x7f1678866000   /lib64/ld-2.22.so
        0x7f1678866000-0x7f1678867000   /lib64/ld-2.22.so
        0x7f1678867000-0x7f1678868000
        0x7fffd7a71000-0x7fffd7a92000   [stack]
        0x7fffd7aa4000-0x7fffd7aa6000   [vvar]
        0x7fffd7aa6000-0x7fffd7aa8000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==19351==End of process memory map.
==19351==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9f1d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0a53 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0c41 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9c7a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42200f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42200f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42200f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x42200f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c05e1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x500bcb in bm_new /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/bitmap.h:76:30
    #10 0x500bcb in bm_readbody_bmp /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/bitmap_io.c:559
    #11 0x500bcb in bm_read /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/bitmap_io.c:133
    #12 0x4f8608 in process_file /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1058:9
    #13 0x4f5904 in main /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1214:7
    #14 0x7f167735c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #15 0x4190b8 in getenv (/usr/bin/potrace+0x4190b8)

Affected version:
1.13

Fixed version:
1.14

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8686

Timeline:
2016-08-26: bug discovered
2016-08-27: bug reported privately to upstream
2016-08-29: blog post about the issue
2016-10-16: CVE Assigned
2016-10-21: Added correct stacktrace
2017-02-20: upstream released 1.14

Note:
This bug was found with American Fuzzy Lop.

Permalink:

potrace: memory allocation failure in bm_new (bitmap.h)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.