{"id":1631,"date":"2017-05-20T15:33:12","date_gmt":"2017-05-20T13:33:12","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1631"},"modified":"2017-05-23T10:18:08","modified_gmt":"2017-05-23T08:18:08","slug":"autotrace-multiple-vulnerabilities-the-autotrace-nightmare","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/05\/20\/autotrace-multiple-vulnerabilities-the-autotrace-nightmare\/","title":{"rendered":"autotrace: multiple vulnerabilities (The autotrace nightmare)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"\">autotrace<\/a> is a program for converting bitmaps to vector graphics.<\/p>\n<p>Time ago I tried to fuzz autotrace, but the first attempt resulted in a crash-by-default so I was unable to complete the task. See <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/10\/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c\/\">CVE-2016-7392 &#8211; autotrace: heap-based buffer overflow in pstoedit_suffix_table_init (output-pstoedit.c)<\/a> for more info about.<br \/>\nSome days ago I noticed that the debian team patched the mentioned issue ( you can blame them for the following you will see \ud83d\ude00 ), so I took the patch and I started the job. I&#8217;m sure there are duplicates, or better to say, issues that have the same root cause. But for completeness I&#8217;m providing all stacktraces\/testcases.<br \/>\nSince we applied several patches, I&#8217;m providing the tarball as well, to verify the lines where the faults happen.<br \/>\nThere are enough issues to kill the package from each repository since the latest upstream release was about 15 years ago.<\/p>\n<p>Some details to avoid to repeat them multiple times.<br \/>\n&#8211; reproducible with: autotrace $FILE<br \/>\n&#8211; affected version: 0.31.1<br \/>\n&#8211; Fixed version: N\/A<br \/>\n&#8211; Commit fix: N\/A<\/p>\n<pre><font size=\"2\">==27066==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x7f42e63f224f bp 0x7ffe8cc02b70 sp 0x7ffe8cc02b68                                                                         \r\nWRITE of size 1 at 0x602000000071 thread T0                                                                                                                                                                       \r\n    #0 0x7f42e63f224e in pnm_load_ascii \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:303:12                                                                                       \r\n    #1 0x7f42e63edfaf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3                                                                                      \r\n    #2 0x7f42e64842e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13                                                                                       \r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16                                                                                                            \r\n    #4 0x7f42e54df680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                                                                                        \r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)                                                                                                                                                            \r\n                                                                                                                                                                                                                  \r\n0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071)                                                                                                                   \r\nallocated by thread T0 here:                                                                                                                                                                                      \r\n    #0 0x4d02b0 in calloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:74                                                                          \r\n    #1 0x7f42e64849e1 in at_bitmap_init \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:191:2                                                                                        \r\n    #2 0x7f42e63eded4 in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:239:12                                                                                     \r\n    #3 0x7f42e64842e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13                                                                                       \r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16                                                                                                            \r\n    #5 0x7f42e54df680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:303:12 in pnm_load_ascii\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-pnm.c-303-12.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9151<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==15561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000008e at pc 0x7ff8acddc761 bp 0x7ffcd65a9bf0 sp 0x7ffcd65a9be8\r\nREAD of size 1 at 0x60300000008e thread T0\r\n    #0 0x7ff8acddc760 in pnm_load_raw \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:346:41\r\n    #1 0x7ff8acdd5faf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #2 0x7ff8ace6c2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7ff8abec7680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x60300000008e is located 0 bytes to the right of 30-byte region [0x603000000070,0x60300000008e)\r\nallocated by thread T0 here:\r\n    #0 0x4d02b0 in calloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:74\r\n    #1 0x7ff8ace6c9e1 in at_bitmap_init \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:191:2\r\n    #2 0x7ff8acdd5ed4 in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:239:12\r\n    #3 0x7ff8ace6c2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7ff8abec7680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:346:41 in pnm_load_raw\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-pnm.c-346-41.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9152<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==11769==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000005ba at pc 0x7f1540eec0d1 bp 0x7ffc27a48c20 sp 0x7ffc27a48c18\r\nWRITE of size 1 at 0x6160000005ba thread T0\r\n    #0 0x7f1540eec0d0 in pnm_load_rawpbm \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:391:13\r\n    #1 0x7f1540ee6faf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #2 0x7f1540f7d2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f153ffd8680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x6160000005ba is located 0 bytes to the right of 570-byte region [0x616000000380,0x6160000005ba)\r\nallocated by thread T0 here:\r\n    #0 0x4d02b0 in calloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:74\r\n    #1 0x7f1540f7d9e1 in at_bitmap_init \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:191:2\r\n    #2 0x7f1540ee6ed4 in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:239:12\r\n    #3 0x7f1540f7d2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f153ffd8680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:391:13 in pnm_load_rawpbm\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-pnm.c-391-13.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9153<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==15741==ERROR: AddressSanitizer: SEGV on unknown address 0x7fabc702e804 (pc 0x7fabcc84c7bb bp 0x7ffd2d0598d0 sp 0x7ffd2d0598a0 T0)\r\n==15741==The signal is caused by a READ memory access.\r\n    #0 0x7fabcc84c7ba in GET_COLOR \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11\r\n    #1 0x7fabcc872d6c in is_outline_edge \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:606:8\r\n    #2 0x7fabcc866b7d in next_point \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:875:16\r\n    #3 0x7fabcc85c2ef in find_one_outline \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:232:13\r\n    #4 0x7fabcc85a592 in find_outline_pixels \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:136:25\r\n    #5 0x7fabcc8505df in at_splines_new_full \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:314:14\r\n    #6 0x50dad0 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:147:13\r\n    #7 0x7fabcb8a9680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11 in GET_COLOR\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-color.c.16-11.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9154<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==10703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9d7f436fad bp 0x7ffff7bfce10 sp 0x7ffff7bfccc0 T0)\r\n==10703==The signal is caused by a READ memory access.\r\n==10703==Hint: address points to the zero page.\r\n    #0 0x7f9d7f436fac in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #1 0x7f9d7f4cd2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #2 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #3 0x7f9d7e528680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #4 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3 in input_pnm_reader\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-pnm.c-243-3.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9155<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==11174==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6d831eb74b bp 0x7ffc4e65fcb0 sp 0x7ffc4e65fb80 T0)\r\n==11174==The signal is caused by a WRITE memory access.\r\n==11174==Hint: address points to the zero page.\r\n    #0 0x7f6d831eb74a in pnm_load_ascii \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:303:12\r\n    #1 0x7f6d831e7faf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #2 0x7f6d8327e2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f6d822d9680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:303:12 in pnm_load_ascii\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-pnm.c-303-12.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9156<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==28602==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f48c4e62a5d bp 0x7ffd95ea1cb0 sp 0x7ffd95ea1b80 T0)\r\n==28602==The signal is caused by a WRITE memory access.\r\n==28602==Hint: address points to the zero page.\r\n    #0 0x7f48c4e62a5c in pnm_load_ascii \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:306:14\r\n    #1 0x7f48c4e5efaf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #2 0x7f48c4ef52e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f48c3f50680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:306:14 in pnm_load_ascii\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-pnm.c-306-14.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9157<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==28887==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f743bc8b10e bp 0x00000000000f sp 0x7ffeef5b4b98 T0)\r\n==28887==The signal is caused by a WRITE memory access.\r\n==28887==Hint: address points to the zero page.\r\n    #0 0x7f743bc8b10d  \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/string\/..\/sysdeps\/x86_64\/memcpy.S:71\r\n    #1 0x7f743bc79ebd in __GI__IO_file_xsgetn \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/libio\/fileops.c:1392\r\n    #2 0x7f743bc6f20f in fread \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/libio\/iofread.c:38\r\n    #3 0x7f743cb3e505 in pnm_load_raw \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:336:11\r\n    #4 0x7f743cb37faf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #5 0x7f743cbce2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #6 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #7 0x7f743bc29680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/string\/..\/sysdeps\/x86_64\/memcpy.S:71\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-pnm.c-336-11.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9158<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==12246==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4ffc714627 bp 0x7ffcb0118cb0 sp 0x7ffcb0118c30 T0)\r\n==12246==The signal is caused by a WRITE memory access.\r\n==12246==Hint: address points to the zero page.\r\n    #0 0x7f4ffc714626 in pnm_load_rawpbm \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:391:15\r\n    #1 0x7f4ffc70ffaf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #2 0x7f4ffc7a62e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f4ffb801680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:391:15 in pnm_load_rawpbm\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-pnm.c-391-15.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9159<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==23827==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0793e00620 at pc 0x7f0798f0581a bp 0x7fff2523daf0 sp 0x7fff2523dae8\r\nWRITE of size 1 at 0x7f0793e00620 thread T0\r\n    #0 0x7f0798f05819 in pnmscanner_gettoken \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:458:12\r\n    #1 0x7f0798f0713e in pnm_load_ascii \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:294:5\r\n    #2 0x7f0798f03faf in input_pnm_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:243:3\r\n    #3 0x7f0798f9a2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f0797ff5680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddress 0x7f0793e00620 is located in stack of thread T0 at offset 544 in frame\r\n    #0 0x7f0798f05e9f in pnm_load_ascii \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:263\r\n\r\n  This frame has 1 object(s):\r\n    [32, 544) 'buf' &lt;== Memory access at offset 544 overflows this variable\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n      (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-pnm.c:458:12 in pnmscanner_gettoken\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSTACK-input-pnm.c-458-12.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9160<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">autotrace.c:188:23: runtime error: signed integer overflow: 46486 * 46485 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-autotrace.c-188-23.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9161<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">autotrace.c:191:2: runtime error: signed integer overflow: 65535 * 65529 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-autotrace.c-191-2.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9162<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">pxl-outline.c:106:54: runtime error: signed integer overflow: 65535 * 53531 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-pxl-outline.c-106-54.PBM<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9163<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==1166==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000880c at pc 0x7f9aa579b946 bp 0x7ffca93d7890 sp 0x7ffca93d7888\r\nREAD of size 1 at 0x62d00000880c thread T0\r\n    #0 0x7f9aa579b945 in GET_COLOR \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11\r\n    #1 0x7f9aa57c1d6c in is_outline_edge \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:606:8\r\n    #2 0x7f9aa57b5b7d in next_point \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:875:16\r\n    #3 0x7f9aa57ab2ef in find_one_outline \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:232:13\r\n    #4 0x7f9aa57a9592 in find_outline_pixels \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:136:25\r\n    #5 0x7f9aa579f5df in at_splines_new_full \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:314:14\r\n    #6 0x50dad0 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:147:13\r\n    #7 0x7f9aa47f8680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x62d00000880c is located 8 bytes to the right of 33796-byte region [0x62d000000400,0x62d000008804)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7f9aa5711116 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:319:7\r\n    #2 0x7f9aa5711116 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7f9aa579d2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f9aa47f8680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11 in GET_COLOR\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-color.c-16-11.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9164<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6460==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x7fea3aae195b bp 0x7ffe69932b70 sp 0x7ffe69932b68\r\nREAD of size 1 at 0x602000000071 thread T0\r\n    #0 0x7fea3aae195a in GET_COLOR \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:17:11\r\n    #1 0x7fea3aaef153 in find_outline_pixels \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:125:19\r\n    #2 0x7fea3aae55df in at_splines_new_full \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:314:14\r\n    #3 0x50dad0 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:147:13\r\n    #4 0x7fea39b3e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7fea3aa57116 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:319:7\r\n    #2 0x7fea3aa57116 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7fea3aae32e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7fea39b3e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:17:11 in GET_COLOR\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-color.c-17-11.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9165<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==9854==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000d81 at pc 0x7f66a5a2e971 bp 0x7ffd049fb890 sp 0x7ffd049fb888\r\nREAD of size 1 at 0x61f000000d81 thread T0\r\n    #0 0x7f66a5a2e970 in GET_COLOR \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:18:11\r\n    #1 0x7f66a5a54d6c in is_outline_edge \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:606:8\r\n    #2 0x7f66a5a48fd2 in next_point \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:836:16\r\n    #3 0x7f66a5a3e2ef in find_one_outline \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:232:13\r\n    #4 0x7f66a5a3c592 in find_outline_pixels \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:136:25\r\n    #5 0x7f66a5a325df in at_splines_new_full \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:314:14\r\n    #6 0x50dad0 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:147:13\r\n    #7 0x7f66a4a8b680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x61f000000d81 is located 0 bytes to the right of 3329-byte region [0x61f000000080,0x61f000000d81)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7f66a59a4116 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:319:7\r\n    #2 0x7f66a59a4116 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7f66a5a302e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f66a4a8b680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:18:11 in GET_COLOR\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-color.c-18-11.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9166<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7ff19cd36604 bp 0x7fff53b20c50 sp 0x7fff53b20c48\r\nWRITE of size 1 at 0x60200000006d thread T0\r\n    #0 0x7ff19cd36603 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:337:25\r\n    #1 0x7ff19cd36603 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7ff19cdbd2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7ff19be18680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7ff19cd30fc1 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:309:7\r\n    #2 0x7ff19cd30fc1 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7ff19cdbd2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7ff19be18680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:337:25 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-bmp.c-337-25.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9167<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==1216==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7fbacd3ae631 bp 0x7ffdb62cfc50 sp 0x7ffdb62cfc48\r\nWRITE of size 1 at 0x60200000006d thread T0\r\n    #0 0x7fbacd3ae630 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:353:25\r\n    #1 0x7fbacd3ae630 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fbacd4352e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fbacc490680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7fbacd3a8fc1 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:309:7\r\n    #2 0x7fbacd3a8fc1 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7fbacd4352e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7fbacc490680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:353:25 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-bmp.c-353-25.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9168<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000068 at pc 0x7f9f33109651 bp 0x7fff2313dc50 sp 0x7fff2313dc48\r\nWRITE of size 1 at 0x607000000068 thread T0\r\n    #0 0x7f9f33109650 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:355:25\r\n    #1 0x7f9f33109650 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7f9f331902e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f9f321eb680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x607000000068 is located 0 bytes to the right of 72-byte region [0x607000000020,0x607000000068)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7f9f3318eb13 in at_fitting_opts_new \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:51:3\r\n    #2 0x509455 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:82:24\r\n    #3 0x7f9f321eb680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:355:25 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-bmp.c-355-25.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9169<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6415==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7f53cbb18669 bp 0x7ffd2e82ac50 sp 0x7ffd2e82ac48\r\nWRITE of size 1 at 0x60200000006d thread T0\r\n    #0 0x7f53cbb18668 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:370:25\r\n    #1 0x7f53cbb18668 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7f53cbb9f2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f53cabfa680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7f53cbb12fc1 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:309:7\r\n    #2 0x7f53cbb12fc1 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7f53cbb9f2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f53cabfa680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:370:25 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-bmp.c-370-25.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9170<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6455==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb7800fe801 at pc 0x7fb7848c85c7 bp 0x7ffc39b0ec50 sp 0x7ffc39b0ec48\r\nREAD of size 1 at 0x7fb7800fe801 thread T0\r\n    #0 0x7fb7848c85c6 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:492:24\r\n    #1 0x7fb7848c85c6 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fb78494f2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fb7839aa680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x7fb7800fe801 is located 0 bytes to the right of 655361-byte region [0x7fb78005e800,0x7fb7800fe801)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7fb7848c3116 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:319:7\r\n    #2 0x7fb7848c3116 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7fb78494f2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7fb7839aa680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:492:24 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-bmp.c-492-24.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9171<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x7f80c1d6e5e7 bp 0x7ffd0fd20c50 sp 0x7ffd0fd20c48\r\nWRITE of size 1 at 0x6020000000b1 thread T0\r\n    #0 0x7f80c1d6e5e6 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:496:29\r\n    #1 0x7f80c1d6e5e6 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7f80c1df52e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f80c0e50680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7f80c1d6da41 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:486:7\r\n    #2 0x7f80c1d6da41 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7f80c1df52e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f80c0e50680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:496:29 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-bmp.c-496-29.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9172<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe5db1fc800 at pc 0x7fe637b9d5f7 bp 0x7ffcd7777c50 sp 0x7ffcd7777c48\r\nWRITE of size 1 at 0x7fe5db1fc800 thread T0\r\n    #0 0x7fe637b9d5f6 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:497:29\r\n    #1 0x7fe637b9d5f6 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fe637c242e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fe636c7f680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x7fe5db1fc800 is located 0 bytes to the right of 83898368-byte region [0x7fe5d61f9800,0x7fe5db1fc800)\r\nallocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7fe637b9ca41 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:486:7\r\n    #2 0x7fe637b9ca41 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7fe637c242e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7fe636c7f680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:497:29 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-bmp.c-497-29.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9173<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==3794==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb79d28c2c9 (pc 0x7fb819bbb8af bp 0x7ffcb8a228d0 sp 0x7ffcb8a228a0 T0)\r\n==3794==The signal is caused by a READ memory access.\r\n    #0 0x7fb819bbb8ae in GET_COLOR \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:21:23\r\n    #1 0x7fb819be1d6c in is_outline_edge \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:606:8\r\n    #2 0x7fb819bd5b7d in next_point \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:875:16\r\n    #3 0x7fb819bcb2ef in find_one_outline \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:232:13\r\n    #4 0x7fb819bc9592 in find_outline_pixels \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:136:25\r\n    #5 0x7fb819bbf5df in at_splines_new_full \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:314:14\r\n    #6 0x50dad0 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:147:13\r\n    #7 0x7fb818c18680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:21:23 in GET_COLOR\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-color.c-21-23.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9174<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6582==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc6edefe800 (pc 0x7fc7f37e70a0 bp 0x7ffcdd383e10 sp 0x7ffcdd383c60 T0)\r\n==6582==The signal is caused by a WRITE memory access.\r\n    #0 0x7fc7f37e709f in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:353:25\r\n    #1 0x7fc7f37e709f in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fc7f386f2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fc7f28ca680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:353:25 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-bmp.c-353-25.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9175<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==29001==ERROR: AddressSanitizer: SEGV on unknown address 0x602600000064 (pc 0x7f4698d176b5 bp 0x7fff96527e10 sp 0x7fff96527c60 T0)\r\n==29001==The signal is caused by a WRITE memory access.\r\n    #0 0x7f4698d176b4 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:370:25\r\n    #1 0x7f4698d176b4 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7f4698d9f2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f4697dfa680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:370:25 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-bmp.c-370-25.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9176<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6445==ERROR: AddressSanitizer: SEGV on unknown address 0x170344731d00 (pc 0x7f562a18a7ce bp 0x7ffe24662e10 sp 0x7ffe24662c60 T0)\r\n==6445==The signal is caused by a READ memory access.\r\n    #0 0x7f562a18a7cd in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:390:12\r\n    #1 0x7f562a18a7cd in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7f562a2142e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f562926f680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:390:12 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-bmp.c-390-12.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9177<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6450==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbf9c7ae200 (pc 0x7fbda21ddde7 bp 0x7fffce040e10 sp 0x7fffce040c60 T0)\r\n==6450==The signal is caused by a WRITE memory access.\r\n    #0 0x7fbda21ddde6 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:421:11\r\n    #1 0x7fbda21ddde6 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fbda22692e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fbda12c4680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:421:11 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-bmp.c-421-11.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9178<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6420==ERROR: AddressSanitizer: SEGV on unknown address 0x114a61dc3b1f (pc 0x7fb614a28dc8 bp 0x7ffc640a6e10 sp 0x7ffc640a6c60 T0)\r\n==6420==The signal is caused by a READ memory access.\r\n    #0 0x7fb614a28dc7 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:425:14\r\n    #1 0x7fb614a28dc7 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fb614ab42e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fb613b0f680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:425:14 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-bmp.c-425-14.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9179<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6430==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb696759bc7 bp 0x7fffc7440e10 sp 0x7fffc7440c60 T0)\r\n==6430==The signal is caused by a READ memory access.\r\n==6430==Hint: address points to the zero page.\r\n    #0 0x7fb696759bc6 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:440:14\r\n    #1 0x7fb696759bc6 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fb6967e42e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fb69583f680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:440:14 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-bmp.c-440-14.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9180<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==6799==ERROR: AddressSanitizer: SEGV on unknown address 0x7fe7fa7fe800 (pc 0x7fe90010491c bp 0x7ffef16afe10 sp 0x7ffef16afc60 T0)\r\n==6799==The signal is caused by a WRITE memory access.\r\n    #0 0x7fe90010491b in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c\r\n    #1 0x7fe90010491b in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #2 0x7fe90018d2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7fe8ff1e8680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nSEGV-input-bmp.c.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9181<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==12448==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f428790192a at pc 0x7f428f289946 bp 0x7fffa4721890 sp 0x7fffa4721888\r\nREAD of size 1 at 0x7f428790192a thread T0\r\n    #0 0x7f428f289945 in GET_COLOR \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11\r\n    #1 0x7f428f2afd6c in is_outline_edge \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:606:8\r\n    #2 0x7f428f2a3b7d in next_point \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:875:16\r\n    #3 0x7f428f2992ef in find_one_outline \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:232:13\r\n    #4 0x7f428f297592 in find_outline_pixels \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:136:25\r\n    #5 0x7f428f28d5df in at_splines_new_full \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:314:14\r\n    #6 0x50dad0 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:147:13\r\n    #7 0x7f428e2e6680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x7f428790192a is located 298 bytes inside of 33545727-byte region [0x7f4287901800,0x7f42898ff5ff)\r\nfreed by thread T0 here:\r\n    #0 0x4cff00 in __interceptor_cfree \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:55\r\n    #1 0x7f428f2041f6 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:501:7\r\n    #2 0x7f428f2041f6 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7f428f28b2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f428e2e6680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\npreviously allocated by thread T0 here:\r\n    #0 0x4d00b8 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7f428f1ff116 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:319:7\r\n    #2 0x7f428f1ff116 in input_bmp_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-bmp.c:241\r\n    #3 0x7f428f28b2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7f428e2e6680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11 in GET_COLOR\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUAF-color.c-16-11.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9182<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">input-bmp.c:309:7: runtime error: signed integer overflow: 1676736000 * 3 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-autotrace.c-309-7.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9183<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">input-bmp.c:314:7: runtime error: signed integer overflow: 32776 * 4194305 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-autotrace.c-314-7.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9184<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">input-bmp.c:319:7: runtime error: signed integer overflow: 1379841 * 8445184 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-autotrace.c-319-7.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9185<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">input-bmp.c:326:17: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-autotrace.c-326-17.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9186<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">input-bmp.c:486:7: runtime error: signed integer overflow: 1073741827 * 3 cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-input-bmp.c-486-7.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9187<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">input-bmp.c:516:63: runtime error: left shift of 128 by 24 places cannot be represented in type 'int'\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-input-bmp.c-516-63.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9188<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==12009==ERROR: AddressSanitizer: unknown-crash on address 0x7fbb91586d21 at pc 0x7fbb91230946 bp 0x7ffe088d8890 sp 0x7ffe088d8888\r\nREAD of size 1 at 0x7fbb91586d21 thread T0\r\n    #0 0x7fbb91230945 in GET_COLOR \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11\r\n    #1 0x7fbb91256d6c in is_outline_edge \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:606:8\r\n    #2 0x7fbb9124ab7d in next_point \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:875:16\r\n    #3 0x7fbb912402ef in find_one_outline \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:232:13\r\n    #4 0x7fbb9123e592 in find_outline_pixels \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/pxl-outline.c:136:25\r\n    #5 0x7fbb912345df in at_splines_new_full \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:314:14\r\n    #6 0x50dad0 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:147:13\r\n    #7 0x7fbb9028d680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddress 0x7fbb91586d21 is a wild pointer.\r\nSUMMARY: AddressSanitizer: unknown-crash \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/color.c:16:11 in GET_COLOR\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNKNOWN-color.c-16-11.BMP<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9189<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==4658==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x613000000200 in thread T0                                   \r\n    #0 0x4cff00 in __interceptor_cfree \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:55\r\n    #1 0x7fd75068d29e in free_bitmap \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/bitmap.c:24:5                                  \r\n    #2 0x7fd7506a077d in at_bitmap_free \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:203:3                           \r\n    #3 0x50dd23 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:173:3                                                \r\n    #4 0x7fd74f6fa680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                           \r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)                                                                                               \r\n                                                                                                                                                     \r\n0x613000000200 is located 48 bytes inside of 538976288-byte region [0x6130000001d0,0x6130202021f0)                                                   \r\n==4658==AddressSanitizer CHECK failed: \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_descriptions.cc:178 \"((res.trace)) != (0)\" (0x0, 0x0)                                                                                                                  \r\n    #0 0x4da09f in AsanCheckFailed \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_rtl.cc:69             \r\n    #1 0x4f4e05 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/sanitizer_common\/sanitizer_termination.cc:79                                                         \r\n    #2 0x42875c in GetStackTraceFromId \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_descriptions.cc:178\r\n    #3 0x42875c in __asan::HeapAddressDescription::Print() const \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_descriptions.cc:395\r\n    #4 0x42a19b in __asan::AddressDescription::Print(char const*) const \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_descriptions.h:225\r\n    #5 0x42a19b in __asan::ErrorFreeNotMalloced::Print() \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_errors.cc:148\r\n    #6 0x4d712b in __asan::ErrorDescription::Print() \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_errors.h:374\r\n    #7 0x4d712b in __asan::ScopedInErrorReport::~ScopedInErrorReport() \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_report.cc:169\r\n    #8 0x4d712b in __asan::ReportFreeNotMalloced(unsigned long, __sanitizer::BufferedStackTrace*) \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_report.cc:275\r\n    #9 0x41f46d in __asan::Allocator::ReportInvalidFree(void*, unsigned char, __sanitizer::BufferedStackTrace*) \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_allocator.cc:617\r\n    #10 0x41f46d in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_allocator.cc:507\r\n    #11 0x41f46d in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_allocator.cc:560\r\n    #12 0x41f46d in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_allocator.cc:773\r\n    #13 0x4cfedc in __interceptor_cfree \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:58\r\n    #14 0x7fd75068d29e in free_bitmap \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/bitmap.c:24:5\r\n    #15 0x7fd7506a077d in at_bitmap_free \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:203:3\r\n    #16 0x50dd23 in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:173:3\r\n    #17 0x7fd74f6fa680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #18 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nBADFREE-bitmap.c-24-5.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9190<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==4247==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001f0 at pc 0x0000004b97d8 bp 0x7ffc8908ac20 sp 0x7ffc8908a3d0\r\nWRITE of size 4 at 0x6140000001f0 thread T0\r\n    #0 0x4b97d7 in __asan_memcpy \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_interceptors.cc:453\r\n    #1 0x7f76fde92d68 in rle_fread \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:252:15\r\n    #2 0x7f76fde8f322 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:514:12\r\n    #3 0x7f76fde8f322 in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #4 0x7f76fdf132e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #5 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #6 0x7f76fcf6e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #7 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x6140000001f0 is located 0 bytes to the right of 432-byte region [0x614000000040,0x6140000001f0)\r\nallocated by thread T0 here:\r\n    #0 0x4d02b0 in calloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:74\r\n    #1 0x7f76fdf139e1 in at_bitmap_init \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:191:2\r\n    #2 0x7f76fde8f081 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:490:11\r\n    #3 0x7f76fde8f081 in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #4 0x7f76fdf132e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #5 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #6 0x7f76fcf6e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_interceptors.cc:453 in __asan_memcpy\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-tga.c-252-15.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9191<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==3665==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd1da8f5803 at pc 0x0000004b9b35 bp 0x7ffcc2ab6cb0 sp 0x7ffcc2ab6460\r\nWRITE of size 2147385265 at 0x7fd1da8f5803 thread T0\r\n    #0 0x4b9b34 in __asan_memset \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_interceptors.cc:457\r\n    #1 0x7fd1dfe2052e in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:528:7\r\n    #2 0x7fd1dfe2052e in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #3 0x7fd1dfea42e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7fd1deeff680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x7fd1da8f5803 is located 0 bytes to the right of 2147188739-byte region [0x7fd15a93d800,0x7fd1da8f5803)\r\nallocated by thread T0 here:\r\n    #0 0x4d02b0 in calloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:74\r\n    #1 0x7fd1dfea49e1 in at_bitmap_init \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:191:2\r\n    #2 0x7fd1dfe20081 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:490:11\r\n    #3 0x7fd1dfe20081 in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #4 0x7fd1dfea42e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #5 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #6 0x7fd1deeff680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_intercept\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-tga.c-528-7.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9192<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==4277==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000ce at pc 0x7f0fd82f5740 bp 0x7fffa1c10cb0 sp 0x7fffa1c10ca8             \r\nREAD of size 1 at 0x6020000000ce thread T0                                                                                                           \r\n    #0 0x7f0fd82f573f in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:538:33                               \r\n    #1 0x7f0fd82f573f in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157                           \r\n    #2 0x7f0fd83762e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13                          \r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16                                               \r\n    #4 0x7f0fd73d1680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                           \r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)                                                                                               \r\n                                                                                                                                                     \r\nAddress 0x6020000000ce is a wild pointer.                                                                                                            \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:538:33 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-tga.c-538-33.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9193<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==4417==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6e03dfea81 at pc 0x7f6e09772720 bp 0x7ffc16306cb0 sp 0x7ffc16306ca8\r\nREAD of size 1 at 0x7f6e03dfea81 thread T0\r\n    #0 0x7f6e0977271f in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:559:29\r\n    #1 0x7f6e0977271f in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #2 0x7f6e097f32e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f6e0884e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x7f6e03dfea81 is located 1 bytes to the right of 122167936-byte region [0x7f6dfc97c800,0x7f6e03dfea80)\r\nallocated by thread T0 here:\r\n    #0 0x4d02b0 in calloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:74\r\n    #1 0x7f6e097f39e1 in at_bitmap_init \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:191:2\r\n    #2 0x7f6e0976f081 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:490:11\r\n    #3 0x7f6e0976f081 in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #4 0x7f6e097f32e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #5 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #6 0x7f6e0884e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:559:29 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-tga.c-559-29.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9194<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==4272==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000322 at pc 0x7f119fdf26b8 bp 0x7ffc12807cb0 sp 0x7ffc12807ca8\r\nREAD of size 1 at 0x602000000322 thread T0\r\n    #0 0x7f119fdf26b7 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:620:27\r\n    #1 0x7f119fdf26b7 in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #2 0x7f119fe732e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #3 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #4 0x7f119eece680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\nAddress 0x602000000322 is a wild pointer.\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:620:27 in ReadImage\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nHEAP-input-tga.c-620-27.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9195<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">==4317==ERROR: AddressSanitizer: negative-size-param: (size=-393212)\r\n    #0 0x4b9c19 in __asan_memset \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_interceptors.cc:457\r\n    #1 0x7fb89cb5952e in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:528:7\r\n    #2 0x7fb89cb5952e in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #3 0x7fb89cbdd2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #4 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #5 0x7fb89bc38680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x41a708 in _init (\/usr\/bin\/autotrace+0x41a708)\r\n\r\n0x7fb81763d800 is located 0 bytes inside of 2147188739-byte region [0x7fb81763d800,0x7fb8975f5803)\r\nallocated by thread T0 here:\r\n    #0 0x4d02b0 in calloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:74\r\n    #1 0x7fb89cbdd9e1 in at_bitmap_init \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:191:2\r\n    #2 0x7fb89cb59081 in ReadImage \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:490:11\r\n    #3 0x7fb89cb59081 in input_tga_reader \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/input-tga.c:157\r\n    #4 0x7fb89cbdd2e9 in at_bitmap_read \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/autotrace.c:142:13\r\n    #5 0x50da1e in main \/tmp\/portage\/media-gfx\/autotrace-0.31.1-r8\/work\/autotrace-0.31.1\/main.c:133:16\r\n    #6 0x7fb89bc38680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: negative-size-param \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_interceptors.cc:457 in __asan_memset\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nNEGATIVESIZE-input-tga.c-528-7.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9196<\/p>\n<p>#########################################<\/p>\n<pre><font size=\"2\">input-tga.c:498:55: runtime error: signed integer overflow: 1491099865 * 3 cannot be represented in type 'int'                                       \r\nSUMMARY: AddressSanitizer: undefined-behavior input-tga.c:498:55 in                                                                                  \r\ninput-tga.c:508:18: runtime error: signed integer overflow: 77871 * 57445 cannot be represented in type 'int'                                        \r\nSUMMARY: AddressSanitizer: undefined-behavior input-tga.c:508:18 in                                                                                  \r\ninput-tga.c:192:19: runtime error: signed integer overflow: 1491099865 * 4 cannot be represented in type 'int'                                       \r\nSUMMARY: AddressSanitizer: undefined-behavior input-tga.c:192:19 in                                                                                  \r\ninput-tga.c:528:63: runtime error: signed integer overflow: 1491099865 * 4 cannot be represented in type 'int' \r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\nUNDEF-input-tga.c.TGA<br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2017-9197<br \/>\nCVE-2017-9198<br \/>\nCVE-2017-9199<br \/>\nCVE-2017-9200<\/p>\n<p>#########################################<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00285-autotrace-multiple-vulnerabilities.tar\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00285-autotrace-multiple-vulnerabilities.tar<\/a><\/p>\n<p><strong>Sources:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00286-autotrace-sources.tar.xz\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00286-autotrace-sources.tar.xz<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-04-10: bugs discovered<br \/>\n2017-05-20: blog post about the issues<br \/>\n2017-05-23: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThese bugs were found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"2HxuXdlYKc\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/05\/20\/autotrace-multiple-vulnerabilities-the-autotrace-nightmare\/\">autotrace: multiple vulnerabilities (The autotrace nightmare)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/05\/20\/autotrace-multiple-vulnerabilities-the-autotrace-nightmare\/embed\/#?secret=2HxuXdlYKc\" data-secret=\"2HxuXdlYKc\" width=\"600\" height=\"338\" title=\"&#8220;autotrace: multiple vulnerabilities (The autotrace nightmare)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: autotrace is a program for converting bitmaps to vector graphics. Time ago I tried to fuzz autotrace, but the first attempt resulted in a crash-by-default so I was unable to complete the task. See CVE-2016-7392 &#8211; autotrace: heap-based buffer &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/05\/20\/autotrace-multiple-vulnerabilities-the-autotrace-nightmare\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-qj","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1631"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1631"}],"version-history":[{"count":8,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1631\/revisions"}],"predecessor-version":[{"id":1846,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1631\/revisions\/1846"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}