{"id":423,"date":"2016-08-08T16:15:07","date_gmt":"2016-08-08T14:15:07","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=423"},"modified":"2016-10-16T11:18:24","modified_gmt":"2016-10-16T09:18:24","slug":"potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/08\/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c\/","title":{"rendered":"potrace: multiple(six) heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/potrace.sourceforge.net\/\">potrace<\/a> is a utility that transforms bitmaps into vector graphics.<\/p>\n<p>A crafted images (bmp) revealed, through a fuzz testing, the presence of SIX heap-based buffer overflow.<\/p>\n<p>To avoid to make the post much long, I splitted the ASan output to leave only the relevant trace.<\/p>\n<pre><font size=\"2\">==13565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000a2fc at pc 0x0000004f370a bp 0x7ffd81d22f90 sp 0x7ffd81d22f88\r\nREAD of size 4 at 0x61100000a2fc thread T0\r\n    #0 0x4f3709 in bm_readbody_bmp \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:717:4\r\n    #1 0x4f3709 in bm_read \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:129\r\n    #2 0x4e6377 in process_file \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1056:9\r\n    #3 0x4e0e08 in main \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1212:7\r\n    #4 0x7f9a1c8f4aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n    #5 0x435f56 in _start (\/usr\/bin\/potrace+0x435f56)\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:717 bm_readbody_bmp\r\n\r\n\r\n==13663==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe4 at pc 0x0000004f3729 bp 0x7fff07737d30 sp 0x7fff07737d28\r\nREAD of size 4 at 0x60200000efe4 thread T0\r\n    #0 0x4f3728 in bm_readbody_bmp \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:651:11\r\n    #1 0x4f3728 in bm_read \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:129\r\n    #2 0x4e6377 in process_file \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1056:9\r\n    #3 0x4e0e08 in main \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1212:7\r\n    #4 0x7f3adde99aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n    #5 0x435f56 in _start (\/usr\/bin\/potrace+0x435f56)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:651 bm_readbody_bmp\r\n\r\n\r\n==13618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000f00c at pc 0x0000004f37a9 bp 0x7ffc33e306b0 sp 0x7ffc33e306a8\r\nREAD of size 4 at 0x60300000f00c thread T0\r\n    #0 0x4f37a8 in bm_readbody_bmp \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:652:11\r\n    #1 0x4f37a8 in bm_read \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:129\r\n    #2 0x4e6377 in process_file \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1056:9\r\n    #3 0x4e0e08 in main \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1212:7\r\n    #4 0x7f20147f7aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n    #5 0x435f56 in _start (\/usr\/bin\/potrace+0x435f56)\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:652 bm_readbody_bmp\r\n\r\n\r\n==13624==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe8 at pc 0x0000004f382a bp 0x7fff60b8bed0 sp 0x7fff60b8bec8\r\nREAD of size 4 at 0x60200000efe8 thread T0\r\n    #0 0x4f3829 in bm_readbody_bmp \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:690:4\r\n    #1 0x4f3829 in bm_read \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:129                                                                                       \r\n    #2 0x4e6377 in process_file \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1056:9                                                                                    \r\n    #3 0x4e0e08 in main \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1212:7                                                                                            \r\n    #4 0x7f35633d5aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289                                                                        \r\n    #5 0x435f56 in _start (\/usr\/bin\/potrace+0x435f56)                                                                                                                                          \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:690 bm_readbody_bmp                                                  \r\n                                                                                                                                                                                               \r\n                                                                                                                                                                                               \r\n==13572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f018 at pc 0x0000004f38d5 bp 0x7ffc994b68d0 sp 0x7ffc994b68c8                                                      \r\nREAD of size 4 at 0x60200000f018 thread T0                                                                                                                                                     \r\n    #0 0x4f38d4 in bm_readbody_bmp \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:744:4                                                                             \r\n    #1 0x4f38d4 in bm_read \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:129\r\n    #2 0x4e6377 in process_file \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1056:9\r\n    #3 0x4e0e08 in main \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1212:7\r\n    #4 0x7f11b6253aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n    #5 0x435f56 in _start (\/usr\/bin\/potrace+0x435f56)\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:744 bm_readbody_bmp\r\n\r\n\r\n==13753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efe8 at pc 0x0000004f3948 bp 0x7fff4f6df6b0 sp 0x7fff4f6df6a8\r\nREAD of size 4 at 0x60200000efe8 thread T0\r\n    #0 0x4f3947 in bm_readbody_bmp \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:601:2\r\n    #1 0x4f3947 in bm_read \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:129\r\n    #2 0x4e6377 in process_file \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1056:9\r\n    #3 0x4e0e08 in main \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/main.c:1212:7\r\n    #4 0x7f26d3d28aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n    #5 0x435f56 in _start (\/usr\/bin\/potrace+0x435f56)\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/potrace-1.12\/work\/potrace-1.12\/src\/bitmap_io.c:601 bm_readbody_bmp\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.12<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.13<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nThere is no public git\/svn repository, If you need the single patches, feel free to ask.<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-8698<br \/>\nCVE-2016-8699<br \/>\nCVE-2016-8700<br \/>\nCVE-2016-8701<br \/>\nCVE-2016-8702<br \/>\nCVE-2016-8703<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2015-07-04: bug discovered<br \/>\n2015-07-05: bug reported privately to upstream<br \/>\n2015-10-22: upstream realeased 1.13<br \/>\n2016-08-08: blog post about the issue<br \/>\n2016-10-16: CVE Assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"3wVrTbRdFC\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/08\/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c\/\">potrace: multiple(six) heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/08\/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c\/embed\/#?secret=3wVrTbRdFC\" data-secret=\"3wVrTbRdFC\" width=\"600\" height=\"338\" title=\"&#8220;potrace: multiple(six) heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: potrace is a utility that transforms bitmaps into vector graphics. A crafted images (bmp) revealed, through a fuzz testing, the presence of SIX heap-based buffer overflow. To avoid to make the post much long, I splitted the ASan output &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/08\/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-6P","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/423"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=423"}],"version-history":[{"count":9,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/423\/revisions"}],"predecessor-version":[{"id":698,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/423\/revisions\/698"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}