{"id":469,"date":"2016-08-29T19:23:52","date_gmt":"2016-08-29T17:23:52","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=469"},"modified":"2017-02-20T10:08:21","modified_gmt":"2017-02-20T08:08:21","slug":"potrace-memory-allocation-failure","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-memory-allocation-failure\/","title":{"rendered":"potrace: memory allocation failure in bm_new (bitmap.h)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/potrace.sourceforge.net\/\">potrace<\/a> is a utility that transforms bitmaps into vector graphics.<\/p>\n<p>A crafted image, through a fuzz testing, causes the memory allocation to fail.<\/p>\n<p>Asan stacktrace:<\/p>\n<pre><font size=\"2\"># potrace $FILE\r\n==19351==ERROR: AddressSanitizer failed to allocate 0x200003000 (8589946880) bytes of LargeMmapAllocator (error code: 12)\r\n==19351==Process memory map follows:\r\n        0x000000400000-0x00000056d000   \/usr\/bin\/potrace\r\n        0x00000076c000-0x00000076d000   \/usr\/bin\/potrace\r\n        0x00000076d000-0x000000778000   \/usr\/bin\/potrace\r\n        0x000000778000-0x000001401000\r\n        0x00007fff7000-0x00008fff7000\r\n        0x00008fff7000-0x02008fff7000\r\n        0x02008fff7000-0x10007fff8000\r\n        0x600000000000-0x602000000000\r\n        0x602000000000-0x602000010000\r\n        0x602000010000-0x603000000000\r\n        0x603000000000-0x603000010000\r\n        0x603000010000-0x607000000000\r\n        0x607000000000-0x607000010000\r\n        0x607000010000-0x616000000000\r\n        0x616000000000-0x616000020000\r\n        0x616000020000-0x619000000000\r\n        0x619000000000-0x619000020000\r\n        0x619000020000-0x640000000000\r\n        0x640000000000-0x640000003000\r\n        0x7f1674c00000-0x7f1674d00000\r\n        0x7f1674e00000-0x7f1674f00000\r\n        0x7f1674fea000-0x7f167733c000\r\n        0x7f167733c000-0x7f16774cf000   \/lib64\/libc-2.22.so\r\n        0x7f16774cf000-0x7f16776cf000   \/lib64\/libc-2.22.so\r\n        0x7f16776cf000-0x7f16776d3000   \/lib64\/libc-2.22.so\r\n        0x7f16776d3000-0x7f16776d5000   \/lib64\/libc-2.22.so\r\n        0x7f16776d5000-0x7f16776d9000\r\n        0x7f16776d9000-0x7f16776ef000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f16776ef000-0x7f16778ee000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f16778ee000-0x7f16778ef000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f16778ef000-0x7f16778f0000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f16778f0000-0x7f16778f2000   \/lib64\/libdl-2.22.so\r\n        0x7f16778f2000-0x7f1677af2000   \/lib64\/libdl-2.22.so\r\n        0x7f1677af2000-0x7f1677af3000   \/lib64\/libdl-2.22.so\r\n        0x7f1677af3000-0x7f1677af4000   \/lib64\/libdl-2.22.so\r\n        0x7f1677af4000-0x7f1677afa000   \/lib64\/librt-2.22.so\r\n        0x7f1677afa000-0x7f1677cfa000   \/lib64\/librt-2.22.so\r\n        0x7f1677cfa000-0x7f1677cfb000   \/lib64\/librt-2.22.so\r\n        0x7f1677cfb000-0x7f1677cfc000   \/lib64\/librt-2.22.so\r\n        0x7f1677cfc000-0x7f1677d13000   \/lib64\/libpthread-2.22.so\r\n        0x7f1677d13000-0x7f1677f12000   \/lib64\/libpthread-2.22.so\r\n        0x7f1677f12000-0x7f1677f13000   \/lib64\/libpthread-2.22.so\r\n        0x7f1677f13000-0x7f1677f14000   \/lib64\/libpthread-2.22.so\r\n        0x7f1677f14000-0x7f1677f18000\r\n        0x7f1677f18000-0x7f1677f2d000   \/lib64\/libz.so.1.2.8\r\n        0x7f1677f2d000-0x7f167812c000   \/lib64\/libz.so.1.2.8\r\n        0x7f167812c000-0x7f167812d000   \/lib64\/libz.so.1.2.8\r\n        0x7f167812d000-0x7f167812e000   \/lib64\/libz.so.1.2.8\r\n        0x7f167812e000-0x7f167822b000   \/lib64\/libm-2.22.so\r\n        0x7f167822b000-0x7f167842a000   \/lib64\/libm-2.22.so\r\n        0x7f167842a000-0x7f167842b000   \/lib64\/libm-2.22.so\r\n        0x7f167842b000-0x7f167842c000   \/lib64\/libm-2.22.so\r\n        0x7f167842c000-0x7f1678443000   \/usr\/lib64\/libpotrace.so.0.0.3\r\n        0x7f1678443000-0x7f1678642000   \/usr\/lib64\/libpotrace.so.0.0.3\r\n        0x7f1678642000-0x7f1678643000   \/usr\/lib64\/libpotrace.so.0.0.3\r\n        0x7f1678643000-0x7f1678644000   \/usr\/lib64\/libpotrace.so.0.0.3\r\n        0x7f1678644000-0x7f1678666000   \/lib64\/ld-2.22.so\r\n        0x7f16787fd000-0x7f167885a000\r\n        0x7f167885a000-0x7f1678865000\r\n        0x7f1678865000-0x7f1678866000   \/lib64\/ld-2.22.so\r\n        0x7f1678866000-0x7f1678867000   \/lib64\/ld-2.22.so\r\n        0x7f1678867000-0x7f1678868000\r\n        0x7fffd7a71000-0x7fffd7a92000   [stack]\r\n        0x7fffd7aa4000-0x7fffd7aa6000   [vvar]\r\n        0x7fffd7aa6000-0x7fffd7aa8000   [vdso]\r\n        0xffffffffff600000-0xffffffffff601000   [vsyscall]\r\n==19351==End of process memory map.\r\n==19351==AddressSanitizer CHECK failed: \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183 \"((0 &amp;&amp; \"unable to mmap\")) != (0)\" (0x0, 0x0)\r\n    #0 0x4c9f1d in AsanCheckFailed \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_rtl.cc:67\r\n    #1 0x4d0a53 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:159\r\n    #2 0x4d0c41 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183\r\n    #3 0x4d9c7a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_posix.cc:122\r\n    #4 0x42200f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1033\r\n    #5 0x42200f in __sanitizer::CombinedAllocator&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt;, __sanitizer::SizeClassAllocatorLocalCache&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt; &gt;, __sanitizer::LargeMmapAllocator &gt;::Allocate(__sanitizer::SizeClassAllocatorLocalCache&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt; &gt;*, unsigned long, unsigned long, bool, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1302\r\n    #6 0x42200f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:368\r\n    #7 0x42200f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:718\r\n    #8 0x4c05e1 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:53\r\n    #9 0x500bcb in bm_new \/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/bitmap.h:76:30\r\n    #10 0x500bcb in bm_readbody_bmp \/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/bitmap_io.c:559\r\n    #11 0x500bcb in bm_read \/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/bitmap_io.c:133\r\n    #12 0x4f8608 in process_file \/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/main.c:1058:9\r\n    #13 0x4f5904 in main \/tmp\/portage\/media-gfx\/potrace-1.13\/work\/potrace-1.13\/src\/main.c:1214:7\r\n    #14 0x7f167735c61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #15 0x4190b8 in getenv (\/usr\/bin\/potrace+0x4190b8)\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.13<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.14<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-8686<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-08-26: bug discovered<br \/>\n2016-08-27: bug reported privately to upstream<br \/>\n2016-08-29: blog post about the issue<br \/>\n2016-10-16: CVE Assigned<br \/>\n2016-10-21: Added correct stacktrace<br \/>\n2017-02-20: upstream released 1.14<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"DChJslmRIe\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-memory-allocation-failure\/\">potrace: memory allocation failure in bm_new (bitmap.h)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-memory-allocation-failure\/embed\/#?secret=DChJslmRIe\" data-secret=\"DChJslmRIe\" width=\"600\" height=\"338\" title=\"&#8220;potrace: memory allocation failure in bm_new (bitmap.h)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: potrace is a utility that transforms bitmaps into vector graphics. A crafted image, through a fuzz testing, causes the memory allocation to fail. Asan stacktrace: # potrace $FILE ==19351==ERROR: AddressSanitizer failed to allocate 0x200003000 (8589946880) bytes of LargeMmapAllocator (error &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/29\/potrace-memory-allocation-failure\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-7z","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/469"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=469"}],"version-history":[{"count":8,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/469\/revisions"}],"predecessor-version":[{"id":1357,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/469\/revisions\/1357"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}