{"id":1408,"date":"2017-03-03T13:07:28","date_gmt":"2017-03-03T11:07:28","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1408"},"modified":"2017-03-26T15:22:45","modified_gmt":"2017-03-26T13:22:45","slug":"potrace-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c-incomplete-fix-for-cve-2016-8698","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/03\/03\/potrace-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c-incomplete-fix-for-cve-2016-8698\/","title":{"rendered":"potrace: heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c) (incomplete fix for CVE-2016-8698)"},"content":{"rendered":"

Description<\/strong>:
\npotrace<\/a> is a utility that transforms bitmaps into vector graphics.<\/p>\n

A fuzz on 1.14 showed that an overflow previously reported as CVE-2016-8698 was not really fixed. Since there isn’t a public git repository, I uploaded the patch on my ‘poc’ repository on github. The patch was sent from the upstream maintainer, Mr. Peter Selinger.<\/p>\n

The complete ASan output:<\/p>\n

# potrace $FILE\r\n==7325==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x00000051dc51 bp 0x7ffc766b1a30 sp 0x7ffc766b1a28\r\nREAD of size 8 at 0x60200000efd0 thread T0\r\n    #0 0x51dc50 in bm_readbody_bmp \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/bitmap_io.c:754:4\r\n    #1 0x51dc50 in bm_read \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/bitmap_io.c:138\r\n    #2 0x510a45 in process_file \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/main.c:1058:9\r\n    #3 0x50dd56 in main \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/main.c:1214:7\r\n    #4 0x7f6c7333e78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x419b68 in getenv (\/usr\/bin\/potrace+0x419b68)\r\n\r\n0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)\r\nallocated by thread T0 here:\r\n    #0 0x4d2b25 in calloc \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:72\r\n    #1 0x519776 in bm_new \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/bitmap.h:121:30\r\n    #2 0x519776 in bm_readbody_bmp \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/bitmap_io.c:574\r\n    #3 0x519776 in bm_read \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/bitmap_io.c:138\r\n    #4 0x510a45 in process_file \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/main.c:1058:9\r\n    #5 0x50dd56 in main \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/main.c:1214:7\r\n    #6 0x7f6c7333e78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/potrace-1.14\/work\/potrace-1.14\/src\/bitmap_io.c:754:4 in bm_readbody_bmp\r\nShadow bytes around the buggy address:\r\n  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 04 fa\r\n  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==7325==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n1.14<\/p>\n
Fixed version:<\/strong>
\n1.15<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00219-potrace-heapoverflow-bm_readbody_bmp-PATCH<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2017-7263<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00210-potrace-heapoverflow-bm_readbody_bmp<\/a><\/p>\n
Timeline:<\/strong>
\n2017-02-26: bug discovered and reported to upstream
\n2017-02-28: upstream released a patch
\n2017-03-03: blog post about the issue
\n2017-03-26: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
potrace: heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c) (incomplete fix for CVE-2016-8698)<\/a><\/p><\/blockquote>\n