Description:
potrace is a utility that transforms bitmaps into vector graphics.
A crafted image, through a fuzz testing, causes the memory allocation to fail.
Asan stacktrace:
# potrace $FILE ==19351==ERROR: AddressSanitizer failed to allocate 0x200003000 (8589946880) bytes of LargeMmapAllocator (error code: 12) ==19351==Process memory map follows: 0x000000400000-0x00000056d000 /usr/bin/potrace 0x00000076c000-0x00000076d000 /usr/bin/potrace 0x00000076d000-0x000000778000 /usr/bin/potrace 0x000000778000-0x000001401000 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x602000000000 0x602000000000-0x602000010000 0x602000010000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x607000000000 0x607000000000-0x607000010000 0x607000010000-0x616000000000 0x616000000000-0x616000020000 0x616000020000-0x619000000000 0x619000000000-0x619000020000 0x619000020000-0x640000000000 0x640000000000-0x640000003000 0x7f1674c00000-0x7f1674d00000 0x7f1674e00000-0x7f1674f00000 0x7f1674fea000-0x7f167733c000 0x7f167733c000-0x7f16774cf000 /lib64/libc-2.22.so 0x7f16774cf000-0x7f16776cf000 /lib64/libc-2.22.so 0x7f16776cf000-0x7f16776d3000 /lib64/libc-2.22.so 0x7f16776d3000-0x7f16776d5000 /lib64/libc-2.22.so 0x7f16776d5000-0x7f16776d9000 0x7f16776d9000-0x7f16776ef000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f16776ef000-0x7f16778ee000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f16778ee000-0x7f16778ef000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f16778ef000-0x7f16778f0000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f16778f0000-0x7f16778f2000 /lib64/libdl-2.22.so 0x7f16778f2000-0x7f1677af2000 /lib64/libdl-2.22.so 0x7f1677af2000-0x7f1677af3000 /lib64/libdl-2.22.so 0x7f1677af3000-0x7f1677af4000 /lib64/libdl-2.22.so 0x7f1677af4000-0x7f1677afa000 /lib64/librt-2.22.so 0x7f1677afa000-0x7f1677cfa000 /lib64/librt-2.22.so 0x7f1677cfa000-0x7f1677cfb000 /lib64/librt-2.22.so 0x7f1677cfb000-0x7f1677cfc000 /lib64/librt-2.22.so 0x7f1677cfc000-0x7f1677d13000 /lib64/libpthread-2.22.so 0x7f1677d13000-0x7f1677f12000 /lib64/libpthread-2.22.so 0x7f1677f12000-0x7f1677f13000 /lib64/libpthread-2.22.so 0x7f1677f13000-0x7f1677f14000 /lib64/libpthread-2.22.so 0x7f1677f14000-0x7f1677f18000 0x7f1677f18000-0x7f1677f2d000 /lib64/libz.so.1.2.8 0x7f1677f2d000-0x7f167812c000 /lib64/libz.so.1.2.8 0x7f167812c000-0x7f167812d000 /lib64/libz.so.1.2.8 0x7f167812d000-0x7f167812e000 /lib64/libz.so.1.2.8 0x7f167812e000-0x7f167822b000 /lib64/libm-2.22.so 0x7f167822b000-0x7f167842a000 /lib64/libm-2.22.so 0x7f167842a000-0x7f167842b000 /lib64/libm-2.22.so 0x7f167842b000-0x7f167842c000 /lib64/libm-2.22.so 0x7f167842c000-0x7f1678443000 /usr/lib64/libpotrace.so.0.0.3 0x7f1678443000-0x7f1678642000 /usr/lib64/libpotrace.so.0.0.3 0x7f1678642000-0x7f1678643000 /usr/lib64/libpotrace.so.0.0.3 0x7f1678643000-0x7f1678644000 /usr/lib64/libpotrace.so.0.0.3 0x7f1678644000-0x7f1678666000 /lib64/ld-2.22.so 0x7f16787fd000-0x7f167885a000 0x7f167885a000-0x7f1678865000 0x7f1678865000-0x7f1678866000 /lib64/ld-2.22.so 0x7f1678866000-0x7f1678867000 /lib64/ld-2.22.so 0x7f1678867000-0x7f1678868000 0x7fffd7a71000-0x7fffd7a92000 [stack] 0x7fffd7aa4000-0x7fffd7aa6000 [vvar] 0x7fffd7aa6000-0x7fffd7aa8000 [vdso] 0xffffffffff600000-0xffffffffff601000 [vsyscall] ==19351==End of process memory map. ==19351==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4c9f1d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67 #1 0x4d0a53 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159 #2 0x4d0c41 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 #3 0x4d9c7a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122 #4 0x42200f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033 #5 0x42200f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302 #6 0x42200f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368 #7 0x42200f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718 #8 0x4c05e1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53 #9 0x500bcb in bm_new /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/bitmap.h:76:30 #10 0x500bcb in bm_readbody_bmp /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/bitmap_io.c:559 #11 0x500bcb in bm_read /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/bitmap_io.c:133 #12 0x4f8608 in process_file /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1058:9 #13 0x4f5904 in main /tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1214:7 #14 0x7f167735c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #15 0x4190b8 in getenv (/usr/bin/potrace+0x4190b8)
Affected version:
1.13
Fixed version:
1.14
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8686
Timeline:
2016-08-26: bug discovered
2016-08-27: bug reported privately to upstream
2016-08-29: blog post about the issue
2016-10-16: CVE Assigned
2016-10-21: Added correct stacktrace
2017-02-20: upstream released 1.14
Note:
This bug was found with American Fuzzy Lop.
Permalink: