oss-sec mailing list archives

potrace: invalid memory access in findnext (decompose.c)

From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 08 Oct 2016 22:29:54 +0200

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A crafted image revealed, through a fuzz testing, the presence of a invalid 
memory access.

The complete ASan output:

# potrace $FILE
potrace: warning: 48.crashes: premature end of file                                                                     
                                                                       
ASAN:DEADLYSIGNAL                                                                                                       
                                                                       
=================================================================                                                       
                                                                       
==13940==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd7b865b800 (pc 
0x7fd7ec5bcbf4 bp 0x7fff9ebad590 sp 0x7fff9ebad360 T0)                                                            
    #0 0x7fd7ec5bcbf3 in findnext /var/tmp/portage/media-
gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11                                                               
              
    #1 0x7fd7ec5bcbf3 in getenv /var/tmp/portage/media-
gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:478                                                                  
                
    #2 0x7fd7ec5c3ed9 in potrace_trace /var/tmp/portage/media-
gfx/potrace-1.13/work/potrace-1.13/src/potracelib.c:76:7                                                                
         
    #3 0x4fea6e in process_file /var/tmp/portage/media-
gfx/potrace-1.13/work/potrace-1.13/src/main.c:1102:10                                                                   
                
    #4 0x4f872b in main /var/tmp/portage/media-
gfx/potrace-1.13/work/potrace-1.13/src/main.c:1250:7                                                                    
                        
    #5 0x7fd7eb4d961f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                 
       
    #6 0x418fc8 in getenv (/usr/bin/potrace+0x418fc8)                                                                   
                                                                       
                                                                                                                        
                                                                       
AddressSanitizer can not provide additional info.                                                                       
                                                                       
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-
gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11 in findnext                                                   
                
==13940==ABORTING
Affected version:
1.13

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-26: bug discovered
2016-08-27: bug reported privately to upstream
2016-08-29: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/

Current thread:

potrace: invalid memory access in findnext (decompose.c) Agostino Sarubbo (Oct 08)
- Re: potrace: invalid memory access in findnext (decompose.c) cve-assign (Oct 15)
- Re: potrace: invalid memory access in findnext (decompose.c) Johannes Segitz (Oct 17)
  - Re: potrace: invalid memory access in findnext (decompose.c) Agostino Sarubbo (Oct 17)