libwmf: memory allocation failure in wmf_malloc (api.c)

Description:
libwmf is a library for reading vector images in Microsøft’s native Windøws Metafile Format (WMF) and for either (a) displaying them in, e.g., an X window; or (b) converting them to more standard/open file formats such as, e.g., the W3C’s XML-based Scaleable Vector Graphic (SVG) format.

A fuzzing through imagemagick revealed a memory allocation failure. It was first reported to imagemagick developers(to double-check) which stated that the issue is in libwmf.
Since the libwmf project is dead the issue has not been reported elsewhere.

The complete ASan output:

# identify $FILE
==25497==ERROR: AddressSanitizer failed to allocate 0xfe769000 (4269182976) bytes of LargeMmapAllocator (error code: 12)                                                                                                                                                       
==25497==Process memory map follows:                                                                                                                                                                                                                                           
        0x000000400000-0x000000520000   /usr/bin/magick                                                                                                                                                                                                                        
        0x000000720000-0x000000721000   /usr/bin/magick                                                                                                                                                                                                                        
        0x000000721000-0x000000724000   /usr/bin/magick                                                                                                                                                                                                                        
        0x000000724000-0x000001397000                                                                                                                                                                                                                                          
        0x00007fff7000-0x00008fff7000                                                                                                                                                                                                                                          
        0x00008fff7000-0x02008fff7000                                                                                                                                                                                                                                          
        0x02008fff7000-0x10007fff8000                                                                                                                                                                                                                                          
        0x600000000000-0x602000000000                                                                                                                                                                                                                                          
        0x602000000000-0x602000010000                                                                                                                                                                                                                                          
        0x602000010000-0x603000000000                                                                                                                                                                                                                                          
        0x603000000000-0x603000010000                                                                                                                                                                                                                                          
        0x603000010000-0x604000000000                                                                                                                                                                                                                                          
        0x604000000000-0x604000010000                                                                                                                                                                                                                                          
        0x604000010000-0x606000000000                                                                                                                                                                                                                                          
        0x606000000000-0x606000010000                                                                                                                                                                                                                                          
        0x606000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x608000000000
        0x608000000000-0x608000010000
        0x608000010000-0x60a000000000
        0x60a000000000-0x60a000020000
        0x60a000020000-0x60b000000000
        0x60b000000000-0x60b000010000
        0x60b000010000-0x60c000000000
        0x60c000000000-0x60c000010000
        0x60c000010000-0x60d000000000
        0x60d000000000-0x60d000010000
        0x60d000010000-0x60e000000000
        0x60e000000000-0x60e000010000
        0x60e000010000-0x60f000000000
        0x60f000000000-0x60f000010000
        0x60f000010000-0x610000000000
        0x610000000000-0x610000010000
        0x610000010000-0x611000000000
        0x611000000000-0x611000010000
        0x611000010000-0x612000000000
        0x612000000000-0x612000010000
        0x612000010000-0x614000000000
        0x614000000000-0x614000020000
        0x614000020000-0x615000000000
        0x615000000000-0x615000020000
        0x615000020000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x618000000000
        0x618000000000-0x618000020000
        0x618000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x622000000000
        0x622000000000-0x622000020000
        0x622000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x627000000000
        0x627000000000-0x627000030000
        0x627000030000-0x629000000000
        0x629000000000-0x629000010000
        0x629000010000-0x640000000000
        0x640000000000-0x640000003000
        0x7f7173b49000-0x7f7173b65000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173b65000-0x7f7173d64000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173d64000-0x7f7173d65000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173d65000-0x7f7173d66000   /usr/lib64/libwmflite-0.2.so.7.0.1
        0x7f7173d66000-0x7f7173d8c000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173d8c000-0x7f7173f8b000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173f8b000-0x7f7173f8c000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173f8c000-0x7f7173f8e000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/wmf.so
        0x7f7173f8e000-0x7f717a600000   /usr/lib64/locale/locale-archive
        0x7f717a600000-0x7f717a700000
        0x7f717a800000-0x7f717a900000
        0x7f717a946000-0x7f717cc98000
        0x7f717cc98000-0x7f717ccbf000   /usr/lib64/libexpat.so.1.6.0
        0x7f717ccbf000-0x7f717cebe000   /usr/lib64/libexpat.so.1.6.0
        0x7f717cebe000-0x7f717cec1000   /usr/lib64/libexpat.so.1.6.0
        0x7f717cec1000-0x7f717cec2000   /usr/lib64/libexpat.so.1.6.0
        0x7f717cec2000-0x7f717cff7000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717cff7000-0x7f717d1f7000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717d1f7000-0x7f717d1f8000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717d1f8000-0x7f717d1f9000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7f717d1f9000-0x7f717d1fa000
        0x7f717d1fa000-0x7f717d203000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d203000-0x7f717d402000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d402000-0x7f717d403000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d403000-0x7f717d404000   /usr/lib64/libltdl.so.7.3.1
        0x7f717d404000-0x7f717d419000   /lib64/libz.so.1.2.8
        0x7f717d419000-0x7f717d618000   /lib64/libz.so.1.2.8
        0x7f717d618000-0x7f717d619000   /lib64/libz.so.1.2.8
        0x7f717d619000-0x7f717d61a000   /lib64/libz.so.1.2.8
        0x7f717d61a000-0x7f717d629000   /lib64/libbz2.so.1.0.6
        0x7f717d629000-0x7f717d828000   /lib64/libbz2.so.1.0.6
        0x7f717d828000-0x7f717d829000   /lib64/libbz2.so.1.0.6
        0x7f717d829000-0x7f717d82a000   /lib64/libbz2.so.1.0.6
        0x7f717d82a000-0x7f717d8d1000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717d8d1000-0x7f717dad1000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717dad1000-0x7f717dad7000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717dad7000-0x7f717dad8000   /usr/lib64/libfreetype.so.6.12.3
        0x7f717dad8000-0x7f717db13000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717db13000-0x7f717dd12000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717dd12000-0x7f717dd14000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717dd14000-0x7f717dd15000   /usr/lib64/libfontconfig.so.1.8.0
        0x7f717dd15000-0x7f717df0a000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717df0a000-0x7f717e109000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717e109000-0x7f717e11d000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717e11d000-0x7f717e11e000   /usr/lib64/libfftw3.so.3.4.4
        0x7f717e11e000-0x7f717e12c000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e12c000-0x7f717e32b000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e32b000-0x7f717e32c000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e32c000-0x7f717e32d000   /usr/lib64/liblqr-1.so.0.3.2
        0x7f717e32d000-0x7f717e380000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e380000-0x7f717e580000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e580000-0x7f717e581000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e581000-0x7f717e586000   /usr/lib64/liblcms2.so.2.0.6
        0x7f717e586000-0x7f717e719000   /lib64/libc-2.22.so
        0x7f717e719000-0x7f717e919000   /lib64/libc-2.22.so
        0x7f717e919000-0x7f717e91d000   /lib64/libc-2.22.so
        0x7f717e91d000-0x7f717e91f000   /lib64/libc-2.22.so
        0x7f717e91f000-0x7f717e923000
        0x7f717e923000-0x7f717e939000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717e939000-0x7f717eb38000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717eb38000-0x7f717eb39000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717eb39000-0x7f717eb3a000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f717eb3a000-0x7f717eb40000   /lib64/librt-2.22.so
        0x7f717eb40000-0x7f717ed40000   /lib64/librt-2.22.so
        0x7f717ed40000-0x7f717ed41000   /lib64/librt-2.22.so
        0x7f717ed41000-0x7f717ed42000   /lib64/librt-2.22.so
        0x7f717ed42000-0x7f717ed59000   /lib64/libpthread-2.22.so
        0x7f717ed59000-0x7f717ef58000   /lib64/libpthread-2.22.so
        0x7f717ef58000-0x7f717ef59000   /lib64/libpthread-2.22.so
        0x7f717ef59000-0x7f717ef5a000   /lib64/libpthread-2.22.so
        0x7f717ef5a000-0x7f717ef5e000
        0x7f717ef5e000-0x7f717f05b000   /lib64/libm-2.22.so
        0x7f717f05b000-0x7f717f25a000   /lib64/libm-2.22.so
        0x7f717f25a000-0x7f717f25b000   /lib64/libm-2.22.so
        0x7f717f25b000-0x7f717f25c000   /lib64/libm-2.22.so
        0x7f717f25c000-0x7f717f25e000   /lib64/libdl-2.22.so
        0x7f717f25e000-0x7f717f45e000   /lib64/libdl-2.22.so
        0x7f717f45e000-0x7f717f45f000   /lib64/libdl-2.22.so
        0x7f717f45f000-0x7f717f460000   /lib64/libdl-2.22.so
        0x7f717f460000-0x7f717f926000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717f926000-0x7f717fb25000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717fb25000-0x7f717fb3a000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717fb3a000-0x7f717fb7c000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7f717fb7c000-0x7f718070f000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f718070f000-0x7f718090e000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f718090e000-0x7f7180947000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f7180947000-0x7f71809b9000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7f71809b9000-0x7f71809bc000
        0x7f71809bc000-0x7f71809de000   /lib64/ld-2.22.so
        0x7f7180a36000-0x7f7180b04000
        0x7f7180b04000-0x7f7180b27000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7f7180b27000-0x7f7180bd0000
        0x7f7180bd0000-0x7f7180bdd000
        0x7f7180bdd000-0x7f7180bde000   /lib64/ld-2.22.so
        0x7f7180bde000-0x7f7180bdf000   /lib64/ld-2.22.so
        0x7f7180bdf000-0x7f7180be0000
        0x7ffc0ab5e000-0x7ffc0ab7f000   [stack]
        0x7ffc0abdd000-0x7ffc0abdf000   [vvar]
        0x7ffc0abdf000-0x7ffc0abe1000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==25497==End of process memory map.
==25497==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42208f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f7173b4d337 in wmf_malloc /tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/api.c:482
    #10 0x7f7173b5d2f8 in wmf_scan /tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/player.c:143
    #11 0x7f7173d6dcf7 in ReadWMFImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/wmf.c:2675:13
    #12 0x7f717fde7b12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
    #13 0x7f718057f406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
    #14 0x7f717fde65ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
    #15 0x7f717fde6e25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
    #16 0x7f717f66c4c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
    #17 0x7f717f70226a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #18 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #19 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #20 0x7f717e5a661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419138 in _init (/usr/bin/magick+0x419138)

Affected version:
0.2.8.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9011

Timeline:
2016-09-14: bug discovered
2016-10-18: blog post about the issue
2016-10-25: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libwmf: memory allocation failure in wmf_malloc (api.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *