{"id":465,"date":"2016-08-29T19:13:31","date_gmt":"2016-08-29T17:13:31","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=465"},"modified":"2017-02-20T10:07:45","modified_gmt":"2017-02-20T08:07:45","slug":"potrace-invalid-memory-access-in-findnext-decompose-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-invalid-memory-access-in-findnext-decompose-c\/","title":{"rendered":"potrace: invalid memory access in findnext (decompose.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/potrace.sourceforge.net\/\">potrace<\/a> is a utility that transforms bitmaps into vector graphics.<\/p>\n<p>A crafted image revealed, through a fuzz testing, the presence of a invalid memory access.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># potrace $FILE\r\npotrace: warning: 48.crashes: premature end of file                                                                                                                                            \r\nASAN:DEADLYSIGNAL                                                                                                                                                                              \r\n=================================================================                                                                                                                              \r\n==13940==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd7b865b800 (pc 0x7fd7ec5bcbf4 bp 0x7fff9ebad590 sp 0x7fff9ebad360 T0)                                                            \r\n    #0 0x7fd7ec5bcbf3 in findnext \/var\/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/decompose.c:436:11                                                                             \r\n    #1 0x7fd7ec5bcbf3 in getenv \/var\/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/decompose.c:478                                                                                  \r\n    #2 0x7fd7ec5c3ed9 in potrace_trace \/var\/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/potracelib.c:76:7                                                                         \r\n    #3 0x4fea6e in process_file \/var\/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/main.c:1102:10                                                                                   \r\n    #4 0x4f872b in main \/var\/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/main.c:1250:7                                                                                            \r\n    #5 0x7fd7eb4d961f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                        \r\n    #6 0x418fc8 in getenv (\/usr\/bin\/potrace+0x418fc8)                                                                                                                                          \r\n                                                                                                                                                                                               \r\nAddressSanitizer can not provide additional info.                                                                                                                                              \r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/decompose.c:436:11 in findnext                                                                   \r\n==13940==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.13<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.14<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"http:\/\/potrace.sourceforge.net\/patches\/potrace-1.13-CVE-2016-8685.patch\">http:\/\/potrace.sourceforge.net\/patches\/potrace-1.13-CVE-2016-8685.patch<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-8685<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-08-26: bug discovered<br \/>\n2016-08-27: bug reported privately to upstream<br \/>\n2016-08-29: blog post about the issue<br \/>\n2016-10-16: CVE Assigned<br \/>\n2017-02-14: upstream released a patch<br \/>\n2017-02-20: upstream released 1.14<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"4P3qhXr9LQ\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-invalid-memory-access-in-findnext-decompose-c\/\">potrace: invalid memory access in findnext (decompose.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-invalid-memory-access-in-findnext-decompose-c\/embed\/#?secret=4P3qhXr9LQ\" data-secret=\"4P3qhXr9LQ\" width=\"600\" height=\"338\" title=\"&#8220;potrace: invalid memory access in findnext (decompose.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: potrace is a utility that transforms bitmaps into vector graphics. A crafted image revealed, through a fuzz testing, the presence of a invalid memory access. The complete ASan output: # potrace $FILE potrace: warning: 48.crashes: premature end of file &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-invalid-memory-access-in-findnext-decompose-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-7v","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/465"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=465"}],"version-history":[{"count":10,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/465\/revisions"}],"predecessor-version":[{"id":1356,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/465\/revisions\/1356"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}