Description:
ytnef is Yeraze’s TNEF Stream Reader – for winmail.dat files.

The complete ASan output of the issue:

# ytnefprint $FILE
==12467==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f59364c62b6 bp 0x7ffe1b8d4af0 sp 0x7ffe1b8d4278 T0)
==12467==The signal is caused by a READ memory access.
==12467==Hint: address points to the zero page.
    #0 0x7f59364c62b5 in strlen /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/strlen.S:76
    #1 0x43e99c in __interceptor_strlen.part.31 /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:282
    #2 0x7f593734a162 in MAPIPrint /tmp/ytnef-1.9.2/lib/ytnef.c:1437:15
    #3 0x508f50 in PrintTNEF /tmp/ytnef-1.9.2/ytnefprint/main.c:169:5
    #4 0x50882e in main /tmp/ytnef-1.9.2/ytnefprint/main.c:84:5
    #5 0x7f593646878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x419c38 in _start (/usr/bin/ytnefprint+0x419c38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/strlen.S:76 in strlen
==12467==ABORTING

Affected version:
1.9.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-9470

Reproducer:
https://github.com/asarubbo/poc/blob/master/00241-ytnef-nullptr-MAPIPrint

Timeline:
2017-03-27: bug discovered and reported to upstream
2017-05-24: blog post about the issue
2017-06-07: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

ytnef: NULL pointer dereference in MAPIPrint (ytnef.c)

Description:
ytnef is Yeraze’s TNEF Stream Reader – for winmail.dat files.

The complete ASan output of the issue:

# ytnefprint $FILE
==11928==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001031 at pc 0x00000049df8d bp 0x7ffd1e1feb20 sp 0x7ffd1e1fe2d0
READ of size 2 at 0x602000001031 thread T0
    #0 0x49df8c in printf_common(void*, char const*, __va_list_tag*) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544
    #1 0x49ea7a in __interceptor_vprintf /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1388
    #2 0x49eb37 in printf /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1434
    #3 0x509747 in PrintTNEF /tmp/ytnef-1.9.2/ytnefprint/main.c:195:7
    #4 0x50882e in main /tmp/ytnef-1.9.2/ytnefprint/main.c:84:5
    #5 0x7f16830da78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x419c38 in _start (/usr/bin/ytnefprint+0x419c38)

0x602000001031 is located 0 bytes to the right of 1-byte region [0x602000001030,0x602000001031)
allocated by thread T0 here:
    #0 0x4cf7e0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f1683faf8bb in TNEFAttachmentFilename /tmp/ytnef-1.9.2/lib/ytnef.c:752:19
    #2 0x7f1683fc5b47 in TNEFParse /tmp/ytnef-1.9.2/lib/ytnef.c:1184:15
    #3 0x7f1683fc49d3 in TNEFParseFile /tmp/ytnef-1.9.2/lib/ytnef.c:1042:10
    #4 0x508814 in main /tmp/ytnef-1.9.2/ytnefprint/main.c:80:9
    #5 0x7f16830da78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544 in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c047fff81b0: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 00 fa
  0x0c047fff81c0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 04 fa
  0x0c047fff81d0: fa fa 00 00 fa fa 00 05 fa fa 00 00 fa fa 00 00
  0x0c047fff81e0: fa fa 05 fa fa fa 00 00 fa fa 00 05 fa fa 00 00
  0x0c047fff81f0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c047fff8200: fa fa fd fa fa fa[01]fa fa fa 00 00 fa fa 04 fa
  0x0c047fff8210: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 04 fa
  0x0c047fff8220: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 00 fa
  0x0c047fff8230: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 04 fa
  0x0c047fff8240: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 01 fa
  0x0c047fff8250: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11928==ABORTING

Affected version:
1.9.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00242-ytnef-heapoverflow-PrintTNEF

Timeline:
2017-03-27: bug discovered and reported to upstream
2017-05-24: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

ytnef: heap-based buffer overflow in PrintTNEF (ytnefprint/main.c)

Description:
qpdf QPDF is a command-line program that does structural, content-preserving transformations on PDF files.

I discovered three infinite loop. Upstream didn’t provide a feedback, so they might have the same root cause.

# qpdf $FILE -
==8000==ERROR: AddressSanitizer: stack-overflow on address 0x7fff9cf4efd8 (pc 0x7f925abe7e23 bp 0x7fff9cf4f050 sp 0x7fff9cf4efe0 T0)
    #0 0x7f925abe7e22 in QPDFObjectHandle::assertInitialized() const /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:1380
    #1 0x7f925abe38aa in QPDFObjectHandle::isIndirect() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:241:5
    #2 0x7f925abe38aa in QPDFObjectHandle::releaseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:71
    #3 0x7f925ad2ca5d in QPDFObjectHandle::ReleaseResolver::releaseResolved(QPDFObjectHandle&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/include/qpdf/QPDFObjectHandle.hh:554:8
    #4 0x7f925ad2ca5d in QPDF_Array::releaseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Array.cc:19
    #5 0x7f925abe3c24 in QPDFObject::ObjAccessor::releaseResolved(QPDFObject*) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/include/qpdf/QPDFObject.hh:67:6
    #6 0x7f925abe3c24 in QPDFObjectHandle::releaseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:80
    #7 0x7f925ad30a6e in QPDFObjectHandle::ReleaseResolver::releaseResolved(QPDFObjectHandle&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/include/qpdf/QPDFObjectHandle.hh:554:8
    #8 0x7f925ad30a6e in QPDF_Dictionary::releaseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Dictionary.cc:23
    #9 0x7f925abe3c24 in QPDFObject::ObjAccessor::releaseResolved(QPDFObject*) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/include/qpdf/QPDFObject.hh:67:6
    #10 0x7f925abe3c24 in QPDFObjectHandle::releaseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:80
    #11 0x7f925ad30a6e in QPDFObjectHandle::ReleaseResolver::releaseResolved(QPDFObjectHandle&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/include/qpdf/QPDFObjectHandle.hh:554:8
    #12 0x7f925ad30a6e in QPDF_Dictionary::releaseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Dictionary.cc:23

Reproducer:
https://github.com/asarubbo/poc/blob/master/00176-qpdf-infiniteloop1
CVE:
CVE-2017-9208

############################

# qpdf $FILE -
    #0 0x427108 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:323
    #1 0x50ce78 in operator new(unsigned long) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:78
    #2 0x7fe47c18de58 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator const&) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xf3e58)
    #3 0x7fe47c18ec3a in std::string::_Rep::_M_clone(std::allocator const&, unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xf4c3a)
    #4 0x7fe47c18ece3 in std::string::reserve(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xf4ce3)
    #5 0x7fe47c656405 in std::string::push_back(char) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/include/g++-v4/bits/basic_string.h:1072:10
    #6 0x7fe47c656405 in std::string::operator+=(char) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/include/g++-v4/bits/basic_string.h:968
    #7 0x7fe47c656405 in QPDFTokenizer::presentCharacter(char) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFTokenizer.cc:189
    #8 0x7fe47c65d19a in QPDFTokenizer::readToken(PointerHolder, std::string const&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFTokenizer.cc:519:6
    #9 0x7fe47c61da83 in QPDFObjectHandle::parseInternal(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:873:23
    #10 0x7fe47c61f018 in QPDFObjectHandle::parseInternal(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:939:15
    #11 0x7fe47c6122d4 in QPDFObjectHandle::parse(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:841:12
    #12 0x7fe47c553ec1 in QPDF::readObject(PointerHolder, std::string const&, int, int, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:1017:31
    #13 0x7fe47c542a0b in QPDF::reconstruct_xref(QPDFExc&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:393:7
    #14 0x7fe47c57e826 in QPDF::readObjectAtOffset(bool, long long, std::string const&, int, int, int&, int&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:1359:6
    #15 0x7fe47c59e56d in QPDF::resolve(int, int) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:1474:7
    #16 0x7fe47c5f4854 in QPDF::Resolver::resolve(QPDF*, int, int) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/include/qpdf/QPDF.hh:520:19
    #17 0x7fe47c5f4854 in QPDFObjectHandle::dereference() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:1520
    #18 0x7fe47c626227 in QPDFObjectHandle::isName() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:184:5
    #19 0x7fe47c626227 in QPDFObjectHandle::parseInternal(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:1074
    #20 0x7fe47c61f018 in QPDFObjectHandle::parseInternal(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:939:15
    #21 0x7fe47c6122d4 in QPDFObjectHandle::parse(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:841:12
    #22 0x7fe47c553ec1 in QPDF::readObject(PointerHolder, std::string const&, int, int, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:1017:31
    #23 0x7fe47c542a0b in QPDF::reconstruct_xref(QPDFExc&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:393:7
    #24 0x7fe47c57e826 in QPDF::readObjectAtOffset(bool, long long, std::string const&, int, int, int&, int&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:1359:6
    #25 0x7fe47c59e56d in QPDF::resolve(int, int) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF.cc:1474:7
    #26 0x7fe47c5f4854 in QPDF::Resolver::resolve(QPDF*, int, int) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/include/qpdf/QPDF.hh:520:19
    #27 0x7fe47c5f4854 in QPDFObjectHandle::dereference() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:1520
    #28 0x7fe47c626227 in QPDFObjectHandle::isName() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:184:5
    #29 0x7fe47c626227 in QPDFObjectHandle::parseInternal(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:1074
    #30 0x7fe47c61f018 in QPDFObjectHandle::parseInternal(PointerHolder, std::string const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool, bool, bool) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:939:15

Reproducer:
https://github.com/asarubbo/poc/blob/master/00177-pdf-infiniteloop2
CVE:
CVE-2017-9209

############################

# qpdf $FILE -
==13070==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0ba0efb0 (pc 0x00000042711b bp 0x7ffd0ba0f8a0 sp 0x7ffd0ba0efb0 T0)
    #0 0x42711a in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:325
    #1 0x50ce78 in operator new(unsigned long) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:78
    #2 0x7f949448ae58 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator const&) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xf3e58)
    #3 0x7f949448bc3a in std::string::_Rep::_M_clone(std::allocator const&, unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xf4c3a)
    #4 0x7f949448bce3 in std::string::reserve(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xf4ce3)
    #5 0x7f9494a4451d in std::string::push_back(char) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/include/g++-v4/bits/basic_string.h:1072:10
    #6 0x7f9494a4451d in std::string::operator+=(char) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/include/g++-v4/bits/basic_string.h:968
    #7 0x7f9494a4451d in QPDF_Name::normalizeName(std::string const&) /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Name.cc:24
    #8 0x7f9494a3ddaa in QPDF_Dictionary::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Dictionary.cc:35:12
    #9 0x7f949490c23f in QPDFObjectHandle::unparseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:699:23
    #10 0x7f9494909e8c in QPDFObjectHandle::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:685:11
    #11 0x7f9494a39cb0 in QPDF_Array::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Array.cc:30:20
    #12 0x7f949490c23f in QPDFObjectHandle::unparseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:699:23
    #13 0x7f9494909e8c in QPDFObjectHandle::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:685:11
    #14 0x7f9494a3de56 in QPDF_Dictionary::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Dictionary.cc:36:27
    #15 0x7f949490c23f in QPDFObjectHandle::unparseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:699:23
    #16 0x7f9494909e8c in QPDFObjectHandle::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:685:11
    #17 0x7f9494a39cb0 in QPDF_Array::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Array.cc:30:20
    #18 0x7f949490c23f in QPDFObjectHandle::unparseResolved() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:699:23
    #19 0x7f9494909e8c in QPDFObjectHandle::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc:685:11
    #20 0x7f9494a3de56 in QPDF_Dictionary::unparse() /tmp/portage/app-text/qpdf-6.0.0-r1/work/qpdf-6.0.0/libqpdf/QPDF_Dictionary.cc:36:27

Reproducer:
https://github.com/asarubbo/poc/blob/master/00177-qpdf-infiniteloop3
CVE:
CVE-2017-9210

############################

Affected version:
6.0.0

Fixed version:
N/A

Commit fix:
https://github.com/qpdf/qpdf/commit/afe0242b263a9e1a8d51dd81e42ab6de2e5127eb
https://github.com/qpdf/qpdf/commit/603f222365252f1a1e20303b3dbe52466be3053b
https://github.com/qpdf/qpdf/commit/315092dd98d5230ef0efa18b294d464d0e9f79d0

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-02-13: bug discovered and reported to upstream
2017-05-21: blog post about the issue
2017-05-23: CVE assigned
2017-07-26: upstream released a fix

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

qpdf: three infinite loop in libqpdf

Description:
imageworsener is a utility for image scaling and processing.

After have fuzzed the 1.3.0 release and have found something already documented in the previous posts, I re-tested the new release and the fuzzer turned up some issues. I don’t know if those issues were present also in the old releases or the recent commits introduced them.

# imagew $FILE /tmp/out -outfmt bmp
src/imagew-cmd.c:850:46: runtime error: division by zero
src/imagew-cmd.c:850:29: runtime error: value inf is outside the range of representable values of type 'int'

Commit fix:
https://github.com/jsummers/imageworsener/commit/dc49c807926b96e503bd7c0dec35119eecd6c6fe
Reproducer:
https://github.com/asarubbo/poc/blob/master/00278-imageworsener-fpe-outside-int
CVE:
CVE-2017-9201

############################

# imagew $FILE /tmp/out -outfmt bmp
src/imagew-cmd.c:854:45: runtime error: division by zero
src/imagew-cmd.c:854:28: runtime error: value inf is outside the range of representable values of type 'int'

Commit fix:
https://github.com/jsummers/imageworsener/commit/dc49c807926b96e503bd7c0dec35119eecd6c6fe
Reproducer:
https://github.com/asarubbo/poc/blob/master/00279-imageworsener-fpe-outside-int_2
CVE:
CVE-2017-9202

############################

# imagew $FILE /tmp/out -outfmt bmp
src/imagew-main.c:960:12: runtime error: index -1 out of bounds for type 'struct iw_channelinfo_out [4]'

Commit fix:
https://github.com/jsummers/imageworsener/commit/a4f247707f08e322f0b41e82c3e06e224240a654
Reproducer:
https://github.com/asarubbo/poc/blob/master/00280-imageworsener-oob-iw_channelinfo_out
CVE:
CVE-2017-9203

############################

# imagew $FILE /tmp/out -outfmt bmp
==29040==ERROR: AddressSanitizer: SEGV on unknown address 0x60b00a000086 (pc 0x7f693a6b6a30 bp 0x7ffc6ae53710 sp 0x7ffc6ae536f0 T0)                  
==29040==The signal is caused by a READ memory access.                                                                                               
    #0 0x7f693a6b6a2f in iw_get_ui16le /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:405:23              
    #1 0x7f693a6b6a2f in iw_get_ui16_e /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:435                 
    #2 0x7f693a67d008 in iwjpeg_scan_exif_ifd /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:130:14       
    #3 0x7f693a67d008 in iwjpeg_scan_exif /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:182              
    #4 0x7f693a67d008 in iwjpeg_read_saved_markers /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:205     
    #5 0x7f693a67d008 in iw_read_jpeg_file /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:430             
    #6 0x7f693a5ed21d in iw_read_file_by_fmt /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-allfmts.c:43:12      
    #7 0x510184 in iwcmd_run /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:1191:6                         
    #8 0x50c1a6 in iwcmd_main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3018:7                        
    #9 0x50c1a6 in main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3067                                
    #10 0x7f69395f6680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                          
    #11 0x41b048 in _init (/usr/bin/imagew+0x41b048)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:405:23 in iw_get_ui16le
==29040==ABORTING

Commit fix:
https://github.com/jsummers/imageworsener/commit/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d
Reproducer:
https://github.com/asarubbo/poc/blob/master/00281-imageworsener-invalidread-iw_get_ui16le
CVE:
CVE-2017-9204

############################

# imagew $FILE /tmp/out -outfmt bmp
==9730==ERROR: AddressSanitizer: SEGV on unknown address 0x60b0ff100086 (pc 0x7f4178fefadb bp 0x7fffcee12570 sp 0x7fffcee12550 T0)                   
==9730==The signal is caused by a READ memory access.                                                                                                
    #0 0x7f4178fefada in iw_get_ui16be /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:422:24              
    #1 0x7f4178fefada in iw_get_ui16_e /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:436                 
    #2 0x7f4178fb6008 in iwjpeg_scan_exif_ifd /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:130:14       
    #3 0x7f4178fb6008 in iwjpeg_scan_exif /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:182              
    #4 0x7f4178fb6008 in iwjpeg_read_saved_markers /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:205     
    #5 0x7f4178fb6008 in iw_read_jpeg_file /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:430             
    #6 0x7f4178f2621d in iw_read_file_by_fmt /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-allfmts.c:43:12      
    #7 0x510184 in iwcmd_run /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:1191:6                         
    #8 0x50c1a6 in iwcmd_main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3018:7                        
    #9 0x50c1a6 in main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3067                                
    #10 0x7f4177f2f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                          
    #11 0x41b048 in _init (/usr/bin/imagew+0x41b048)                                                                                                 
                                                                                                                                                     
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:422:24 in iw_get_ui16be
==9730==ABORTING

Commit fix:
https://github.com/jsummers/imageworsener/commit/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d
Reproducer:
https://github.com/asarubbo/poc/blob/master/00282-imageworsener-invalidread-iw_get_ui16be
CVE:
CVE-2017-9205

############################

# imagew $FILE /tmp/out -outfmt bmp
==24197==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000a70 at pc 0x7f1c90ffbb6b bp 0x7ffd41b1af40 sp 0x7ffd41b1af38            
READ of size 1 at 0x608000000a70 thread T0                                                                                                           
    #0 0x7f1c90ffbb6a in iw_get_ui16le /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:405:23              
    #1 0x7f1c90ffbb6a in iw_get_ui16_e /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:435                 
    #2 0x7f1c90fc2008 in iwjpeg_scan_exif_ifd /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:130:14       
    #3 0x7f1c90fc2008 in iwjpeg_scan_exif /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:182              
    #4 0x7f1c90fc2008 in iwjpeg_read_saved_markers /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:205     
    #5 0x7f1c90fc2008 in iw_read_jpeg_file /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:430             
    #6 0x7f1c90f3221d in iw_read_file_by_fmt /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-allfmts.c:43:12      
    #7 0x510184 in iwcmd_run /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:1191:6                         
    #8 0x50c1a6 in iwcmd_main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3018:7                        
    #9 0x50c1a6 in main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3067                                
    #10 0x7f1c8ff3b680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                          
    #11 0x41b048 in _init (/usr/bin/imagew+0x41b048)                                                                                                 
                                                                                                                                                     
Address 0x608000000a70 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:405:23 in iw_get_ui16le

Commit fix:
https://github.com/jsummers/imageworsener/commit/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d
Reproducer:
https://github.com/asarubbo/poc/blob/master/00283-imageworsener-heapoverflow-iw_get_ui16le
CVE:
CVE-2017-9206

############################

# imagew $FILE /tmp/out -outfmt bmp
==9198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000004070 at pc 0x7ffb620f1b97 bp 0x7fff09707940 sp 0x7fff09707938
READ of size 1 at 0x608000004070 thread T0
    #0 0x7ffb620f1b96 in iw_get_ui16be /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:422:24
    #1 0x7ffb620f1b96 in iw_get_ui16_e /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:436
    #2 0x7ffb620b8008 in iwjpeg_scan_exif_ifd /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:130:14
    #3 0x7ffb620b8008 in iwjpeg_scan_exif /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:182
    #4 0x7ffb620b8008 in iwjpeg_read_saved_markers /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:205
    #5 0x7ffb620b8008 in iw_read_jpeg_file /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-jpeg.c:430
    #6 0x7ffb6202821d in iw_read_file_by_fmt /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-allfmts.c:43:12
    #7 0x510184 in iwcmd_run /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:1191:6
    #8 0x50c1a6 in iwcmd_main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3018:7
    #9 0x50c1a6 in main /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-cmd.c:3067
    #10 0x7ffb61031680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #11 0x41b048 in _init (/usr/bin/imagew+0x41b048)

Address 0x608000004070 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/imageworsener-1.3.1/work/imageworsener-1.3.1/src/imagew-util.c:422:24 in iw_get_ui16be

Commit fix:
https://github.com/jsummers/imageworsener/commit/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d
Reproducer:
https://github.com/asarubbo/poc/blob/master/00284-imageworsener-heapoverflow-iw_get_ui16be
CVE:
CVE-2017-9207

############################

Affected version:
1.3.1

Fixed version:
1.3.2 (not released atm)

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-05-10: bugs discovered and reported to upstream
2017-05-20: blog post about the issue
2017-05-23: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

imageworsener: multiple vulnerabilities

Description:
autotrace is a program for converting bitmaps to vector graphics.

Time ago I tried to fuzz autotrace, but the first attempt resulted in a crash-by-default so I was unable to complete the task. See CVE-2016-7392 – autotrace: heap-based buffer overflow in pstoedit_suffix_table_init (output-pstoedit.c) for more info about.
Some days ago I noticed that the debian team patched the mentioned issue ( you can blame them for the following you will see 😀 ), so I took the patch and I started the job. I’m sure there are duplicates, or better to say, issues that have the same root cause. But for completeness I’m providing all stacktraces/testcases.
Since we applied several patches, I’m providing the tarball as well, to verify the lines where the faults happen.
There are enough issues to kill the package from each repository since the latest upstream release was about 15 years ago.

Some details to avoid to repeat them multiple times.
– reproducible with: autotrace $FILE
– affected version: 0.31.1
– Fixed version: N/A
– Commit fix: N/A

==27066==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x7f42e63f224f bp 0x7ffe8cc02b70 sp 0x7ffe8cc02b68                                                                         
WRITE of size 1 at 0x602000000071 thread T0                                                                                                                                                                       
    #0 0x7f42e63f224e in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12                                                                                       
    #1 0x7f42e63edfaf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3                                                                                      
    #2 0x7f42e64842e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13                                                                                       
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16                                                                                                            
    #4 0x7f42e54df680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                        
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)                                                                                                                                                            
                                                                                                                                                                                                                  
0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071)                                                                                                                   
allocated by thread T0 here:                                                                                                                                                                                      
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74                                                                          
    #1 0x7f42e64849e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2                                                                                        
    #2 0x7f42e63eded4 in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:239:12                                                                                     
    #3 0x7f42e64842e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13                                                                                       
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16                                                                                                            
    #5 0x7f42e54df680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12 in pnm_load_ascii

Reproducer:
HEAP-input-pnm.c-303-12.PBM
CVE:
CVE-2017-9151

#########################################

==15561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000008e at pc 0x7ff8acddc761 bp 0x7ffcd65a9bf0 sp 0x7ffcd65a9be8
READ of size 1 at 0x60300000008e thread T0
    #0 0x7ff8acddc760 in pnm_load_raw /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:346:41
    #1 0x7ff8acdd5faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7ff8ace6c2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7ff8abec7680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60300000008e is located 0 bytes to the right of 30-byte region [0x603000000070,0x60300000008e)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7ff8ace6c9e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7ff8acdd5ed4 in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:239:12
    #3 0x7ff8ace6c2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7ff8abec7680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:346:41 in pnm_load_raw

Reproducer:
HEAP-input-pnm.c-346-41.PBM
CVE:
CVE-2017-9152

#########################################

==11769==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000005ba at pc 0x7f1540eec0d1 bp 0x7ffc27a48c20 sp 0x7ffc27a48c18
WRITE of size 1 at 0x6160000005ba thread T0
    #0 0x7f1540eec0d0 in pnm_load_rawpbm /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:13
    #1 0x7f1540ee6faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f1540f7d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f153ffd8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x6160000005ba is located 0 bytes to the right of 570-byte region [0x616000000380,0x6160000005ba)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f1540f7d9e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7f1540ee6ed4 in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:239:12
    #3 0x7f1540f7d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f153ffd8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:13 in pnm_load_rawpbm

Reproducer:
HEAP-input-pnm.c-391-13.PBM
CVE:
CVE-2017-9153

#########################################

==15741==ERROR: AddressSanitizer: SEGV on unknown address 0x7fabc702e804 (pc 0x7fabcc84c7bb bp 0x7ffd2d0598d0 sp 0x7ffd2d0598a0 T0)
==15741==The signal is caused by a READ memory access.
    #0 0x7fabcc84c7ba in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7fabcc872d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7fabcc866b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7fabcc85c2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7fabcc85a592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7fabcc8505df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7fabcb8a9680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR

Reproducer:
SEGV-color.c.16-11.PBM
CVE:
CVE-2017-9154

#########################################

==10703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9d7f436fad bp 0x7ffff7bfce10 sp 0x7ffff7bfccc0 T0)
==10703==The signal is caused by a READ memory access.
==10703==Hint: address points to the zero page.
    #0 0x7f9d7f436fac in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #1 0x7f9d7f4cd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #2 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #3 0x7f9d7e528680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3 in input_pnm_reader

Reproducer:
SEGV-input-pnm.c-243-3.PBM
CVE:
CVE-2017-9155

#########################################

==11174==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6d831eb74b bp 0x7ffc4e65fcb0 sp 0x7ffc4e65fb80 T0)
==11174==The signal is caused by a WRITE memory access.
==11174==Hint: address points to the zero page.
    #0 0x7f6d831eb74a in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12
    #1 0x7f6d831e7faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f6d8327e2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f6d822d9680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12 in pnm_load_ascii

Reproducer:
SEGV-input-pnm.c-303-12.PBM
CVE:
CVE-2017-9156

#########################################

==28602==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f48c4e62a5d bp 0x7ffd95ea1cb0 sp 0x7ffd95ea1b80 T0)
==28602==The signal is caused by a WRITE memory access.
==28602==Hint: address points to the zero page.
    #0 0x7f48c4e62a5c in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:306:14
    #1 0x7f48c4e5efaf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f48c4ef52e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f48c3f50680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:306:14 in pnm_load_ascii

Reproducer:
SEGV-input-pnm.c-306-14.PBM
CVE:
CVE-2017-9157

#########################################

==28887==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f743bc8b10e bp 0x00000000000f sp 0x7ffeef5b4b98 T0)
==28887==The signal is caused by a WRITE memory access.
==28887==Hint: address points to the zero page.
    #0 0x7f743bc8b10d  /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/memcpy.S:71
    #1 0x7f743bc79ebd in __GI__IO_file_xsgetn /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/libio/fileops.c:1392
    #2 0x7f743bc6f20f in fread /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/libio/iofread.c:38
    #3 0x7f743cb3e505 in pnm_load_raw /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:336:11
    #4 0x7f743cb37faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #5 0x7f743cbce2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #6 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #7 0x7f743bc29680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/memcpy.S:71

Reproducer:
SEGV-input-pnm.c-336-11.PBM
CVE:
CVE-2017-9158

#########################################

==12246==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4ffc714627 bp 0x7ffcb0118cb0 sp 0x7ffcb0118c30 T0)
==12246==The signal is caused by a WRITE memory access.
==12246==Hint: address points to the zero page.
    #0 0x7f4ffc714626 in pnm_load_rawpbm /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:15
    #1 0x7f4ffc70ffaf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f4ffc7a62e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f4ffb801680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:15 in pnm_load_rawpbm

Reproducer:
SEGV-input-pnm.c-391-15.PBM
CVE:
CVE-2017-9159

#########################################

==23827==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0793e00620 at pc 0x7f0798f0581a bp 0x7fff2523daf0 sp 0x7fff2523dae8
WRITE of size 1 at 0x7f0793e00620 thread T0
    #0 0x7f0798f05819 in pnmscanner_gettoken /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:458:12
    #1 0x7f0798f0713e in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:294:5
    #2 0x7f0798f03faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #3 0x7f0798f9a2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f0797ff5680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

Address 0x7f0793e00620 is located in stack of thread T0 at offset 544 in frame
    #0 0x7f0798f05e9f in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:263

  This frame has 1 object(s):
    [32, 544) 'buf' <== Memory access at offset 544 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:458:12 in pnmscanner_gettoken

Reproducer:
STACK-input-pnm.c-458-12.PBM
CVE:
CVE-2017-9160

#########################################

autotrace.c:188:23: runtime error: signed integer overflow: 46486 * 46485 cannot be represented in type 'int'

Reproducer:
UNDEF-autotrace.c-188-23.PBM
CVE:
CVE-2017-9161

#########################################

autotrace.c:191:2: runtime error: signed integer overflow: 65535 * 65529 cannot be represented in type 'int'

Reproducer:
UNDEF-autotrace.c-191-2.PBM
CVE:
CVE-2017-9162

#########################################

pxl-outline.c:106:54: runtime error: signed integer overflow: 65535 * 53531 cannot be represented in type 'int'

Reproducer:
UNDEF-pxl-outline.c-106-54.PBM
CVE:
CVE-2017-9163

#########################################

==1166==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000880c at pc 0x7f9aa579b946 bp 0x7ffca93d7890 sp 0x7ffca93d7888
READ of size 1 at 0x62d00000880c thread T0
    #0 0x7f9aa579b945 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7f9aa57c1d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7f9aa57b5b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7f9aa57ab2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7f9aa57a9592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7f9aa579f5df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7f9aa47f8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x62d00000880c is located 8 bytes to the right of 33796-byte region [0x62d000000400,0x62d000008804)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f9aa5711116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7f9aa5711116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f9aa579d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f9aa47f8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR

Reproducer:
HEAP-color.c-16-11.BMP
CVE:
CVE-2017-9164

#########################################

==6460==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x7fea3aae195b bp 0x7ffe69932b70 sp 0x7ffe69932b68
READ of size 1 at 0x602000000071 thread T0
    #0 0x7fea3aae195a in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:17:11
    #1 0x7fea3aaef153 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:125:19
    #2 0x7fea3aae55df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #3 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #4 0x7fea39b3e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fea3aa57116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7fea3aa57116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fea3aae32e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fea39b3e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:17:11 in GET_COLOR

Reproducer:
HEAP-color.c-17-11.BMP
CVE:
CVE-2017-9165

#########################################

==9854==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000d81 at pc 0x7f66a5a2e971 bp 0x7ffd049fb890 sp 0x7ffd049fb888
READ of size 1 at 0x61f000000d81 thread T0
    #0 0x7f66a5a2e970 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:18:11
    #1 0x7f66a5a54d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7f66a5a48fd2 in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:836:16
    #3 0x7f66a5a3e2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7f66a5a3c592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7f66a5a325df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7f66a4a8b680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x61f000000d81 is located 0 bytes to the right of 3329-byte region [0x61f000000080,0x61f000000d81)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f66a59a4116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7f66a59a4116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f66a5a302e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f66a4a8b680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:18:11 in GET_COLOR

Reproducer:
HEAP-color.c-18-11.BMP
CVE:
CVE-2017-9166

#########################################

==6435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7ff19cd36604 bp 0x7fff53b20c50 sp 0x7fff53b20c48
WRITE of size 1 at 0x60200000006d thread T0
    #0 0x7ff19cd36603 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:337:25
    #1 0x7ff19cd36603 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7ff19cdbd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7ff19be18680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7ff19cd30fc1 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:309:7
    #2 0x7ff19cd30fc1 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7ff19cdbd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7ff19be18680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:337:25 in ReadImage

Reproducer:
HEAP-input-bmp.c-337-25.BMP
CVE:
CVE-2017-9167

#########################################

==1216==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7fbacd3ae631 bp 0x7ffdb62cfc50 sp 0x7ffdb62cfc48
WRITE of size 1 at 0x60200000006d thread T0
    #0 0x7fbacd3ae630 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25
    #1 0x7fbacd3ae630 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fbacd4352e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fbacc490680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fbacd3a8fc1 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:309:7
    #2 0x7fbacd3a8fc1 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fbacd4352e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fbacc490680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25 in ReadImage

Reproducer:
HEAP-input-bmp.c-353-25.BMP
CVE:
CVE-2017-9168

#########################################

==6260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000068 at pc 0x7f9f33109651 bp 0x7fff2313dc50 sp 0x7fff2313dc48
WRITE of size 1 at 0x607000000068 thread T0
    #0 0x7f9f33109650 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:355:25
    #1 0x7f9f33109650 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f9f331902e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f9f321eb680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x607000000068 is located 0 bytes to the right of 72-byte region [0x607000000020,0x607000000068)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f9f3318eb13 in at_fitting_opts_new /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:51:3
    #2 0x509455 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:82:24
    #3 0x7f9f321eb680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:355:25 in ReadImage

Reproducer:
HEAP-input-bmp.c-355-25.BMP
CVE:
CVE-2017-9169

#########################################

==6415==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7f53cbb18669 bp 0x7ffd2e82ac50 sp 0x7ffd2e82ac48
WRITE of size 1 at 0x60200000006d thread T0
    #0 0x7f53cbb18668 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25
    #1 0x7f53cbb18668 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f53cbb9f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f53cabfa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f53cbb12fc1 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:309:7
    #2 0x7f53cbb12fc1 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f53cbb9f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f53cabfa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25 in ReadImage

Reproducer:
HEAP-input-bmp.c-370-25.BMP
CVE:
CVE-2017-9170

#########################################

==6455==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb7800fe801 at pc 0x7fb7848c85c7 bp 0x7ffc39b0ec50 sp 0x7ffc39b0ec48
READ of size 1 at 0x7fb7800fe801 thread T0
    #0 0x7fb7848c85c6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:492:24
    #1 0x7fb7848c85c6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fb78494f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fb7839aa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fb7800fe801 is located 0 bytes to the right of 655361-byte region [0x7fb78005e800,0x7fb7800fe801)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fb7848c3116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7fb7848c3116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fb78494f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fb7839aa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:492:24 in ReadImage

Reproducer:
HEAP-input-bmp.c-492-24.BMP
CVE:
CVE-2017-9171

#########################################

==6652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x7f80c1d6e5e7 bp 0x7ffd0fd20c50 sp 0x7ffd0fd20c48
WRITE of size 1 at 0x6020000000b1 thread T0
    #0 0x7f80c1d6e5e6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:496:29
    #1 0x7f80c1d6e5e6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f80c1df52e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f80c0e50680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f80c1d6da41 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:486:7
    #2 0x7f80c1d6da41 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f80c1df52e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f80c0e50680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:496:29 in ReadImage

Reproducer:
HEAP-input-bmp.c-496-29.BMP
CVE:
CVE-2017-9172

#########################################

==6562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe5db1fc800 at pc 0x7fe637b9d5f7 bp 0x7ffcd7777c50 sp 0x7ffcd7777c48
WRITE of size 1 at 0x7fe5db1fc800 thread T0
    #0 0x7fe637b9d5f6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:497:29
    #1 0x7fe637b9d5f6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fe637c242e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fe636c7f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fe5db1fc800 is located 0 bytes to the right of 83898368-byte region [0x7fe5d61f9800,0x7fe5db1fc800)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fe637b9ca41 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:486:7
    #2 0x7fe637b9ca41 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fe637c242e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fe636c7f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:497:29 in ReadImage

Reproducer:
HEAP-input-bmp.c-497-29.BMP
CVE:
CVE-2017-9173

#########################################

==3794==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb79d28c2c9 (pc 0x7fb819bbb8af bp 0x7ffcb8a228d0 sp 0x7ffcb8a228a0 T0)
==3794==The signal is caused by a READ memory access.
    #0 0x7fb819bbb8ae in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:21:23
    #1 0x7fb819be1d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7fb819bd5b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7fb819bcb2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7fb819bc9592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7fb819bbf5df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7fb818c18680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:21:23 in GET_COLOR

Reproducer:
SEGV-color.c-21-23.BMP
CVE:
CVE-2017-9174

#########################################

==6582==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc6edefe800 (pc 0x7fc7f37e70a0 bp 0x7ffcdd383e10 sp 0x7ffcdd383c60 T0)
==6582==The signal is caused by a WRITE memory access.
    #0 0x7fc7f37e709f in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25
    #1 0x7fc7f37e709f in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fc7f386f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fc7f28ca680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25 in ReadImage

Reproducer:
SEGV-input-bmp.c-353-25.BMP
CVE:
CVE-2017-9175

#########################################

==29001==ERROR: AddressSanitizer: SEGV on unknown address 0x602600000064 (pc 0x7f4698d176b5 bp 0x7fff96527e10 sp 0x7fff96527c60 T0)
==29001==The signal is caused by a WRITE memory access.
    #0 0x7f4698d176b4 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25
    #1 0x7f4698d176b4 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f4698d9f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f4697dfa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25 in ReadImage

Reproducer:
SEGV-input-bmp.c-370-25.BMP
CVE:
CVE-2017-9176

#########################################

==6445==ERROR: AddressSanitizer: SEGV on unknown address 0x170344731d00 (pc 0x7f562a18a7ce bp 0x7ffe24662e10 sp 0x7ffe24662c60 T0)
==6445==The signal is caused by a READ memory access.
    #0 0x7f562a18a7cd in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:390:12
    #1 0x7f562a18a7cd in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f562a2142e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f562926f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:390:12 in ReadImage

Reproducer:
SEGV-input-bmp.c-390-12.BMP
CVE:
CVE-2017-9177

#########################################

==6450==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbf9c7ae200 (pc 0x7fbda21ddde7 bp 0x7fffce040e10 sp 0x7fffce040c60 T0)
==6450==The signal is caused by a WRITE memory access.
    #0 0x7fbda21ddde6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:421:11
    #1 0x7fbda21ddde6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fbda22692e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fbda12c4680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:421:11 in ReadImage

Reproducer:
SEGV-input-bmp.c-421-11.BMP
CVE:
CVE-2017-9178

#########################################

==6420==ERROR: AddressSanitizer: SEGV on unknown address 0x114a61dc3b1f (pc 0x7fb614a28dc8 bp 0x7ffc640a6e10 sp 0x7ffc640a6c60 T0)
==6420==The signal is caused by a READ memory access.
    #0 0x7fb614a28dc7 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:425:14
    #1 0x7fb614a28dc7 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fb614ab42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fb613b0f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:425:14 in ReadImage

Reproducer:
SEGV-input-bmp.c-425-14.BMP
CVE:
CVE-2017-9179

#########################################

==6430==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb696759bc7 bp 0x7fffc7440e10 sp 0x7fffc7440c60 T0)
==6430==The signal is caused by a READ memory access.
==6430==Hint: address points to the zero page.
    #0 0x7fb696759bc6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:440:14
    #1 0x7fb696759bc6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fb6967e42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fb69583f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:440:14 in ReadImage

Reproducer:
SEGV-input-bmp.c-440-14.BMP
CVE:
CVE-2017-9180

#########################################

==6799==ERROR: AddressSanitizer: SEGV on unknown address 0x7fe7fa7fe800 (pc 0x7fe90010491c bp 0x7ffef16afe10 sp 0x7ffef16afc60 T0)
==6799==The signal is caused by a WRITE memory access.
    #0 0x7fe90010491b in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c
    #1 0x7fe90010491b in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fe90018d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fe8ff1e8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c in ReadImage

Reproducer:
SEGV-input-bmp.c.BMP
CVE:
CVE-2017-9181

#########################################

==12448==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f428790192a at pc 0x7f428f289946 bp 0x7fffa4721890 sp 0x7fffa4721888
READ of size 1 at 0x7f428790192a thread T0
    #0 0x7f428f289945 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7f428f2afd6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7f428f2a3b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7f428f2992ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7f428f297592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7f428f28d5df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7f428e2e6680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7f428790192a is located 298 bytes inside of 33545727-byte region [0x7f4287901800,0x7f42898ff5ff)
freed by thread T0 here:
    #0 0x4cff00 in __interceptor_cfree /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:55
    #1 0x7f428f2041f6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:501:7
    #2 0x7f428f2041f6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f428f28b2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f428e2e6680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f428f1ff116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7f428f1ff116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f428f28b2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f428e2e6680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR

Reproducer:
UAF-color.c-16-11.BMP
CVE:
CVE-2017-9182

#########################################

input-bmp.c:309:7: runtime error: signed integer overflow: 1676736000 * 3 cannot be represented in type 'int'

Reproducer:
UNDEF-autotrace.c-309-7.BMP
CVE:
CVE-2017-9183

#########################################

input-bmp.c:314:7: runtime error: signed integer overflow: 32776 * 4194305 cannot be represented in type 'int'

Reproducer:
UNDEF-autotrace.c-314-7.BMP
CVE:
CVE-2017-9184

#########################################

input-bmp.c:319:7: runtime error: signed integer overflow: 1379841 * 8445184 cannot be represented in type 'int'

Reproducer:
UNDEF-autotrace.c-319-7.BMP
CVE:
CVE-2017-9185

#########################################

input-bmp.c:326:17: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'

Reproducer:
UNDEF-autotrace.c-326-17.BMP
CVE:
CVE-2017-9186

#########################################

input-bmp.c:486:7: runtime error: signed integer overflow: 1073741827 * 3 cannot be represented in type 'int'

Reproducer:
UNDEF-input-bmp.c-486-7.BMP
CVE:
CVE-2017-9187

#########################################

input-bmp.c:516:63: runtime error: left shift of 128 by 24 places cannot be represented in type 'int'

Reproducer:
UNDEF-input-bmp.c-516-63.BMP
CVE:
CVE-2017-9188

#########################################

==12009==ERROR: AddressSanitizer: unknown-crash on address 0x7fbb91586d21 at pc 0x7fbb91230946 bp 0x7ffe088d8890 sp 0x7ffe088d8888
READ of size 1 at 0x7fbb91586d21 thread T0
    #0 0x7fbb91230945 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7fbb91256d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7fbb9124ab7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7fbb912402ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7fbb9123e592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7fbb912345df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7fbb9028d680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

Address 0x7fbb91586d21 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR

Reproducer:
UNKNOWN-color.c-16-11.BMP
CVE:
CVE-2017-9189

#########################################

==4658==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x613000000200 in thread T0                                   
    #0 0x4cff00 in __interceptor_cfree /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:55
    #1 0x7fd75068d29e in free_bitmap /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/bitmap.c:24:5                                  
    #2 0x7fd7506a077d in at_bitmap_free /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:203:3                           
    #3 0x50dd23 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:173:3                                                
    #4 0x7fd74f6fa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                           
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)                                                                                               
                                                                                                                                                     
0x613000000200 is located 48 bytes inside of 538976288-byte region [0x6130000001d0,0x6130202021f0)                                                   
==4658==AddressSanitizer CHECK failed: /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.cc:178 "((res.trace)) != (0)" (0x0, 0x0)                                                                                                                  
    #0 0x4da09f in AsanCheckFailed /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_rtl.cc:69             
    #1 0x4f4e05 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/sanitizer_common/sanitizer_termination.cc:79                                                         
    #2 0x42875c in GetStackTraceFromId /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.cc:178
    #3 0x42875c in __asan::HeapAddressDescription::Print() const /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.cc:395
    #4 0x42a19b in __asan::AddressDescription::Print(char const*) const /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.h:225
    #5 0x42a19b in __asan::ErrorFreeNotMalloced::Print() /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_errors.cc:148
    #6 0x4d712b in __asan::ErrorDescription::Print() /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_errors.h:374
    #7 0x4d712b in __asan::ScopedInErrorReport::~ScopedInErrorReport() /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_report.cc:169
    #8 0x4d712b in __asan::ReportFreeNotMalloced(unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_report.cc:275
    #9 0x41f46d in __asan::Allocator::ReportInvalidFree(void*, unsigned char, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:617
    #10 0x41f46d in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:507
    #11 0x41f46d in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:560
    #12 0x41f46d in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:773
    #13 0x4cfedc in __interceptor_cfree /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:58
    #14 0x7fd75068d29e in free_bitmap /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/bitmap.c:24:5
    #15 0x7fd7506a077d in at_bitmap_free /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:203:3
    #16 0x50dd23 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:173:3
    #17 0x7fd74f6fa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #18 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

Reproducer:
BADFREE-bitmap.c-24-5.TGA
CVE:
CVE-2017-9190

#########################################

==4247==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001f0 at pc 0x0000004b97d8 bp 0x7ffc8908ac20 sp 0x7ffc8908a3d0
WRITE of size 4 at 0x6140000001f0 thread T0
    #0 0x4b97d7 in __asan_memcpy /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:453
    #1 0x7f76fde92d68 in rle_fread /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:252:15
    #2 0x7f76fde8f322 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:514:12
    #3 0x7f76fde8f322 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7f76fdf132e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7f76fcf6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x6140000001f0 is located 0 bytes to the right of 432-byte region [0x614000000040,0x6140000001f0)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f76fdf139e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7f76fde8f081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7f76fde8f081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7f76fdf132e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7f76fcf6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:453 in __asan_memcpy

Reproducer:
HEAP-input-tga.c-252-15.TGA
CVE:
CVE-2017-9191

#########################################

==3665==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd1da8f5803 at pc 0x0000004b9b35 bp 0x7ffcc2ab6cb0 sp 0x7ffcc2ab6460
WRITE of size 2147385265 at 0x7fd1da8f5803 thread T0
    #0 0x4b9b34 in __asan_memset /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:457
    #1 0x7fd1dfe2052e in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:528:7
    #2 0x7fd1dfe2052e in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #3 0x7fd1dfea42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fd1deeff680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fd1da8f5803 is located 0 bytes to the right of 2147188739-byte region [0x7fd15a93d800,0x7fd1da8f5803)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7fd1dfea49e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7fd1dfe20081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7fd1dfe20081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7fd1dfea42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7fd1deeff680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_intercept

Reproducer:
HEAP-input-tga.c-528-7.TGA
CVE:
CVE-2017-9192

#########################################

==4277==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000ce at pc 0x7f0fd82f5740 bp 0x7fffa1c10cb0 sp 0x7fffa1c10ca8             
READ of size 1 at 0x6020000000ce thread T0                                                                                                           
    #0 0x7f0fd82f573f in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:538:33                               
    #1 0x7f0fd82f573f in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157                           
    #2 0x7f0fd83762e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13                          
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16                                               
    #4 0x7f0fd73d1680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                           
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)                                                                                               
                                                                                                                                                     
Address 0x6020000000ce is a wild pointer.                                                                                                            
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:538:33 in ReadImage

Reproducer:
HEAP-input-tga.c-538-33.TGA
CVE:
CVE-2017-9193

#########################################

==4417==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6e03dfea81 at pc 0x7f6e09772720 bp 0x7ffc16306cb0 sp 0x7ffc16306ca8
READ of size 1 at 0x7f6e03dfea81 thread T0
    #0 0x7f6e0977271f in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:559:29
    #1 0x7f6e0977271f in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #2 0x7f6e097f32e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f6e0884e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7f6e03dfea81 is located 1 bytes to the right of 122167936-byte region [0x7f6dfc97c800,0x7f6e03dfea80)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f6e097f39e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7f6e0976f081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7f6e0976f081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7f6e097f32e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7f6e0884e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:559:29 in ReadImage

Reproducer:
HEAP-input-tga.c-559-29.TGA
CVE:
CVE-2017-9194

#########################################

==4272==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000322 at pc 0x7f119fdf26b8 bp 0x7ffc12807cb0 sp 0x7ffc12807ca8
READ of size 1 at 0x602000000322 thread T0
    #0 0x7f119fdf26b7 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:620:27
    #1 0x7f119fdf26b7 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #2 0x7f119fe732e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f119eece680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

Address 0x602000000322 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:620:27 in ReadImage

Reproducer:
HEAP-input-tga.c-620-27.TGA
CVE:
CVE-2017-9195

#########################################

==4317==ERROR: AddressSanitizer: negative-size-param: (size=-393212)
    #0 0x4b9c19 in __asan_memset /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:457
    #1 0x7fb89cb5952e in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:528:7
    #2 0x7fb89cb5952e in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #3 0x7fb89cbdd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fb89bc38680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fb81763d800 is located 0 bytes inside of 2147188739-byte region [0x7fb81763d800,0x7fb8975f5803)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7fb89cbdd9e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7fb89cb59081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7fb89cb59081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7fb89cbdd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7fb89bc38680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: negative-size-param /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:457 in __asan_memset

Reproducer:
NEGATIVESIZE-input-tga.c-528-7.TGA
CVE:
CVE-2017-9196

#########################################

input-tga.c:498:55: runtime error: signed integer overflow: 1491099865 * 3 cannot be represented in type 'int'                                       
SUMMARY: AddressSanitizer: undefined-behavior input-tga.c:498:55 in                                                                                  
input-tga.c:508:18: runtime error: signed integer overflow: 77871 * 57445 cannot be represented in type 'int'                                        
SUMMARY: AddressSanitizer: undefined-behavior input-tga.c:508:18 in                                                                                  
input-tga.c:192:19: runtime error: signed integer overflow: 1491099865 * 4 cannot be represented in type 'int'                                       
SUMMARY: AddressSanitizer: undefined-behavior input-tga.c:192:19 in                                                                                  
input-tga.c:528:63: runtime error: signed integer overflow: 1491099865 * 4 cannot be represented in type 'int' 

Reproducer:
UNDEF-input-tga.c.TGA
CVE:
CVE-2017-9197
CVE-2017-9198
CVE-2017-9199
CVE-2017-9200

#########################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Reproducer:
https://github.com/asarubbo/poc/blob/master/00285-autotrace-multiple-vulnerabilities.tar

Sources:
https://github.com/asarubbo/poc/blob/master/00286-autotrace-sources.tar.xz

Timeline:
2017-04-10: bugs discovered
2017-05-20: blog post about the issues
2017-05-23: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

autotrace: multiple vulnerabilities (The autotrace nightmare)

Description:
binutils are a collection of binary tools necessary to build programs.

After the post on oss-security from Thuan Pham I was interested too into the fuzz of binutils to see what will happen…Here are the partial results (I didn’t run the fuzzers against all command-line tools):

# readelf -a $FILE
==12002==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000039 at pc 0x0000005a4f79 bp 0x7ffea5d104d0 sp 0x7ffea5d104c8
READ of size 1 at 0x602000000039 thread T0
    #0 0x5a4f78 in byte_get_little_endian /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22
    #1 0x565bc4 in process_mips_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15190:8
    #2 0x52483a in process_arch_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
    #3 0x52483a in process_object /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
    #4 0x50b57c in process_file /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
    #5 0x50b57c in main /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
    #6 0x7f2e28f6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419f68 in dl_iterate_phdr (/usr/x86_64-pc-linux-gnu/binutils-bin/2.28/readelf+0x419f68)

0x602000000039 is located 0 bytes to the right of 9-byte region [0x602000000030,0x602000000039)
allocated by thread T0 here:
    #0 0x4cf918 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x50be47 in get_data /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:392:9
    #2 0x565a00 in process_mips_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15169:32
    #3 0x52483a in process_arch_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
    #4 0x52483a in process_object /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
    #5 0x50b57c in process_file /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
    #6 0x50b57c in main /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
    #7 0x7f2e28f6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22 in byte_get_little_endian

Affected version:
2.28
Fixed version:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00258-binutils-readelf-heapoverflow2-byte_get_little_endian
Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
CVE:
CVE-2017-9038

###########################################

# readelf -a $FILE
==20389==ERROR: AddressSanitizer failed to allocate 0x18da5b8000 (106742644736) bytes of LargeMmapAllocator (error code: 12)
[...]
==20389==AddressSanitizer CHECK failed: /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
[...]
    #8 0x66216d in xmalloc /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/libiberty/xmalloc.c:148:12
    #9 0x5e32c0 in cmalloc /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/dwarf.c:7450:10
    #10 0x582819 in get_program_headers /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:4761:33
    #11 0x55ab15 in process_program_headers /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:4814:9
    #12 0x52ea4f in process_object /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16751:7
    #13 0x51780f in process_file /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
    #14 0x51780f in main /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
    #15 0x7f252d57178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #16 0x41a158 in getenv (/usr/x86_64-pc-linux-gnu/binutils-bin/2.28/readelf+0x41a158)

Affected version:
2.28
Fixed version:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00259-binutils-readelf-memallocfailure
Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5
CVE:
CVE-2017-9039

###########################################

# readelf -a $FILE
==25206==WARNING: AddressSanitizer failed to allocate 0x40000000000070 bytes
==25206==AddressSanitizer's allocator is terminating the process instead of returning 0
==25206==If you don't like this behavior set allocator_may_return_null=1
==25206==AddressSanitizer CHECK failed: /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/sanitizer_common/sanitizer_allocator.cc:221 "((0)) != (0)" (0x0, 0x0)
[...]
    #6 0x66dcfd in xmalloc /tmp/portage/sys-devel/binutils-9999/work/binutils/libiberty/xmalloc.c:147:12
    #7 0x5e5a20 in cmalloc /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/dwarf.c:8259:10
    #8 0x5d2865 in process_mips_specific /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:15373:34
    #9 0x54ac16 in process_arch_specific /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:17449:14
    #10 0x54ac16 in process_object /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:17672
    #11 0x5167f8 in process_file /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:18055:13
    #12 0x5167f8 in main /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:18127
    #13 0x7fca769b578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #14 0x41a088 in getenv (/usr/x86_64-pc-linux-gnu/binutils-bin/git/readelf+0x41a088)

Affected version:
master after commit 82156ab704b08b124d319c0decdbd48b3ca2dac5 which fixed the bug above
Fixed version:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00272-binutils-memallocfailure
Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
CVE:
CVE-2017-9040
###########################################

# readelf -a $FILE
==20287==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000039 at pc 0x00000064c061 bp 0x7ffcc34b2580 sp 0x7ffcc34b2578
READ of size 1 at 0x602000000039 thread T0
    #0 0x64c060 in byte_get_little_endian /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22
    #1 0x5d31c5 in process_mips_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15190:8
    #2 0x549e1d in process_arch_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
    #3 0x549e1d in process_object /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
    #4 0x51780f in process_file /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
    #5 0x51780f in main /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
    #6 0x7fa5fc60b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x41a158 in getenv (/usr/x86_64-pc-linux-gnu/binutils-bin/2.28/readelf+0x41a158)

0x602000000039 is located 0 bytes to the right of 9-byte region [0x602000000030,0x602000000039)
allocated by thread T0 here:
    #0 0x4d9828 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x518af2 in get_data /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:392:9
    #2 0x5d2ee2 in process_mips_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15169:32
    #3 0x549e1d in process_arch_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
    #4 0x549e1d in process_object /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
    #5 0x51780f in process_file /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
    #6 0x51780f in main /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
    #7 0x7fa5fc60b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22 in byte_get_little_endian

Affected version:
2.28
Fixed version:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00258-binutils-readelf-heapoverflow2-byte_get_little_endian
Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
CVE:
CVE-2017-9041

###########################################

# readelf -a $FILE
/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:9447:39: runtime error: signed integer overflow: 7443 - -9223372036854775080 cannot be represented in type 'long'

Affected version:
master at 2017-04-12 (dunno about other versions)
Fixed version:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00275-binutils-signintoverflow
Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
CVE:
CVE-2017-9042

###########################################

# readelf -a $FILE
/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:16941:18: runtime error: shift exponent 64 is too large for 64-bit type 'unsigned long'

Affected version:
master at 2017-04-12 (dunno about other versions)
Fixed version:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00274-binutils-shifttoolarge
Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54
CVE:
CVE-2017-9043
###########################################

# readelf -a $FILE
==7569==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000005ca9f5 bp 0x7ffcef629b70 sp 0x7ffcef629b20 T0)
==7569==The signal is caused by a READ memory access.
==7569==Hint: address points to the zero page.
    #0 0x5ca9f4 in print_symbol_for_build_attribute /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:16671:16
    #1 0x5c2d08 in process_note /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c
    #2 0x5bc388 in process_notes_at /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:17232:13
    #3 0x5bbc82 in process_corefile_note_segments /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:17262:8
    #4 0x548d86 in process_object /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c
    #5 0x5167f8 in process_file /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:18055:13
    #6 0x5167f8 in main /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:18127
    #7 0x7f8ede38078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a088 in getenv (/usr/x86_64-pc-linux-gnu/binutils-bin/git/readelf+0x41a088)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/readelf.c:16671:16 in print_symbol_for_build_attribute
==7569==ABORTING

Affected version:
master at 2017-04-12 (dunno about other versions)
Fixed version:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00273-binutils-NULLptr-print_symbol_for_build_attribute
Commit fix:
N/A, seems to be fixed by one of the previous commits.
CVE:
CVE-2017-9044

###########################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-04-01: first bug discovered and reported to upstream
2017-05-12: blog post about the issue
2017-05-18: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

binutils: multiple crashes

Description:
lrzip is a compression utility that excels at compressing large files.

The complete ASan output of the issue:

# lrzip -t $FILE
==4026==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100000dd00 at pc 0x0000004bccc5 bp 0x7ffcf3b4d9f0 sp 0x7ffcf3b4d1a0
READ of size 1 at 0x62100000dd00 thread T0
    #0 0x4bccc4 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x53cff6 in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1747:4
    #2 0x5307fc in read_vchars /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:79:6
    #3 0x5307fc in unzip_match /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:208
    #4 0x5307fc in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:329
    #5 0x5307fc in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #6 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #7 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #8 0x7f743a5d278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x41abf8 in _init (/usr/bin/lrzip+0x41abf8)

0x62100000dd00 is located 0 bytes inside of 4096-byte region [0x62100000dd00,0x62100000ed00)
freed by thread T0 here:
    #0 0x4d3660 in free /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47
    #1 0x53d186 in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1574:3
    #2 0x53d186 in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #3 0x5307fc in read_vchars /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:79:6
    #4 0x5307fc in unzip_match /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:208
    #5 0x5307fc in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:329
    #6 0x5307fc in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #7 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #8 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #9 0x7f743a5d278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T1 here:
    #0 0x4d39b8 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x54b0d7 in lzma_decompress_buf /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:546:20
    #2 0x54b0d7 in ucompthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1522
    #3 0x7f743b36e4a3 in start_thread /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_create.c:333

Thread T1 created by T0 here:
    #0 0x42d49d in pthread_create /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
    #1 0x53e70f in create_pthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:133:6
    #2 0x53e70f in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1673
    #3 0x53e70f in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #4 0x5303e3 in read_u8 /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:55:6
    #5 0x5303e3 in read_header /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:144
    #6 0x5303e3 in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:314
    #7 0x5303e3 in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #8 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #9 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #10 0x7f743a5d278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c427fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff9ba0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff9bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff9bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff9bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff9be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff9bf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4026==ABORTING

Affected version:
0.631

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8846

Reproducer:
https://github.com/asarubbo/poc/blob/master/00233-lrzip-UAF-read_stream

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-05-07: blog post about the issue
2017-05-08: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

lrzip: use-after-free in read_stream (stream.c)

Description:
lrzip is a compression utility that excels at compressing large files.

The complete ASan output of the issue:

# lrzip -t $FILE
==25584==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef33 at pc 0x00000045246e bp 0x7ffd881d4970 sp 0x7ffd881d4120
WRITE of size 8 at 0x60200000ef33 thread T0
    #0 0x45246d in read /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:765
    #1 0x537ce1 in read_1g /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:731:9
    #2 0x53e349 in read_buf /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:774:8
    #3 0x53e349 in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1648
    #4 0x53e349 in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #5 0x5307fc in read_vchars /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:79:6
    #6 0x5307fc in unzip_match /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:208
    #7 0x5307fc in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:329
    #8 0x5307fc in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #9 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #10 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #11 0x7f02ed48f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #12 0x41abf8 in _init (/usr/bin/lrzip+0x41abf8)

0x60200000ef33 is located 0 bytes to the right of 3-byte region [0x60200000ef30,0x60200000ef33)
allocated by thread T0 here:
    #0 0x4d39b8 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x53e2ab in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1643:10
    #2 0x53e2ab in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #3 0x5307fc in read_vchars /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:79:6
    #4 0x5307fc in unzip_match /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:208
    #5 0x5307fc in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:329
    #6 0x5307fc in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #7 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #8 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #9 0x7f02ed48f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:765 in read
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa[03]fa fa fa fd fd fa fa fd fa
  0x0c047fff9df0: fa fa fd fd fa fa 04 fa fa fa 03 fa fa fa 05 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25584==ABORTING

Affected version:
0.631

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8844

Reproducer:
https://github.com/asarubbo/poc/blob/master/00232-lrzip-heapoverflow-read_1g

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-05-07: blog post about the issue
2017-05-08: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

lrzip: heap-based buffer overflow write in read_1g (stream.c)

Description:
lrzip is a compression utility that excels at compressing large files.

The complete ASan output of the issue:

# lrzip -t $FILE
==3311==ERROR: AddressSanitizer: SEGV on unknown address 0x602000010000 (pc 0x7f75cabe8834 bp 0x62100002c11f sp 0x7f7085ab4d78 T5)
==3311==The signal is caused by a READ memory access.
    #0 0x7f75cabe8833 in lzo1x_decompress /tmp/portage/dev-libs/lzo-2.08/work/lzo-2.08/src/lzo1x_d.ch:108
    #1 0x54af2f in lzo_decompress_buf /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:590:10
    #2 0x54af2f in ucompthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1525
    #3 0x7f75ca2944a3 in start_thread /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_create.c:333
    #4 0x7f75c95bf66c in clone /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/lzo-2.08/work/lzo-2.08/src/lzo1x_d.ch:108 in lzo1x_decompress
Thread T5 created by T0 here:
    #0 0x42d49d in pthread_create /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
    #1 0x53e70f in create_pthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:133:6
    #2 0x53e70f in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1673
    #3 0x53e70f in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #4 0x531075 in unzip_literal /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:162:16
    #5 0x531075 in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:320
    #6 0x531075 in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #7 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #8 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #9 0x7f75c94f878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

Dunno wtf decompression type to use!
==3311==AddressSanitizer: while reporting a bug found another one. Ignoring.
Fatal error - exiting

Affected version:
0.631

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8845

Reproducer:
https://github.com/asarubbo/poc/blob/master/00230-lrzip-invalidread-lzo1x_decompress

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-05-07: blog post about the issue
2017-05-08: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

lrzip: invalid memory read in lzo_decompress_buf (stream.c)

Description:
lrzip is a compression utility that excels at compressing large files.

The complete ASan output of the issue:

# lrzip -t $FILE
==1329==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002d0 (pc 0x7fa931ad7660 bp 0x7ffff4a30c30 sp 0x7ffff4a309f8 T0)
==1329==The signal is caused by a READ memory access.
==1329==Hint: address points to the zero page.
    #0 0x7fa931ad765f  /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_join.c:34
    #1 0x53ee0d in join_pthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:147:6
    #2 0x53ee0d in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1697
    #3 0x53ee0d in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #4 0x531075 in unzip_literal /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:162:16
    #5 0x531075 in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:320
    #6 0x531075 in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #7 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #8 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #9 0x7fa930d3a78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #10 0x41abf8 in _init (/usr/bin/lrzip+0x41abf8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_join.c:34 
==1329==ABORTING

Affected version:
0.631

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8843

Reproducer:
https://github.com/asarubbo/poc/blob/master/00231-lrzip-nullptr-join_pthread

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-05-07: blog post about the issue
2017-05-08: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

lrzip: NULL pointer dereference in join_pthread (stream.c)