oss-sec mailing list archives
graphicsmagick: memory allocation failure in ReadPCXImage (pcx.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 08 Oct 2016 22:22:22 +0200
Description:
Graphicsmagick is an Image Processing System.
After the first round of fuzzing where I discovered some slowness issues that
make the fuzz hard, the second round revealed a memory allocation failure.
The complete ASan output:
# gm identify $FILE
==10139==ERROR: AddressSanitizer failed to allocate 0x4cd6a6000 (20626169856)
bytes of LargeMmapAllocator (error code: 12)
==10139==Process memory map follows:
0x000000400000-0x00000051f000 /usr/bin/gm
0x00000071e000-0x00000071f000 /usr/bin/gm
0x00000071f000-0x000000722000 /usr/bin/gm
0x000000722000-0x000001394000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x60a000000000
0x60a000000000-0x60a000010000
0x60a000010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x60f000000000
0x60f000000000-0x60f000010000
0x60f000010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x612000000000
0x612000000000-0x612000010000
0x612000010000-0x614000000000
0x614000000000-0x614000020000
0x614000020000-0x616000000000
0x616000000000-0x616000020000
0x616000020000-0x618000000000
0x618000000000-0x618000020000
0x618000020000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x61a000000000
0x61a000000000-0x61a000020000
0x61a000020000-0x61b000000000
0x61b000000000-0x61b000020000
0x61b000020000-0x61d000000000
0x61d000000000-0x61d000020000
0x61d000020000-0x61e000000000
0x61e000000000-0x61e000020000
0x61e000020000-0x621000000000
0x621000000000-0x621000020000
0x621000020000-0x623000000000
0x623000000000-0x623000020000
0x623000020000-0x624000000000
0x624000000000-0x624000020000
0x624000020000-0x625000000000
0x625000000000-0x625000020000
0x625000020000-0x640000000000
0x640000000000-0x640000003000
0x7ff8e8877000-0x7ff8e888c000
/usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
0x7ff8e888c000-0x7ff8e8a8c000
/usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
0x7ff8e8a8c000-0x7ff8e8a8d000
/usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
0x7ff8e8a8d000-0x7ff8e8a8e000
/usr/lib64/GraphicsMagick-1.3.25/modules-Q32/coders/pcx.so
0x7ff8e8a8e000-0x7ff8ef100000 /usr/lib64/locale/locale-archive
0x7ff8ef100000-0x7ff8ef200000
0x7ff8ef300000-0x7ff8ef400000
0x7ff8ef4ab000-0x7ff8f17fd000
0x7ff8f17fd000-0x7ff8f1806000 /usr/lib64/libltdl.so.7.3.1
0x7ff8f1806000-0x7ff8f1a05000 /usr/lib64/libltdl.so.7.3.1
0x7ff8f1a05000-0x7ff8f1a06000 /usr/lib64/libltdl.so.7.3.1
0x7ff8f1a06000-0x7ff8f1a07000 /usr/lib64/libltdl.so.7.3.1
0x7ff8f1a07000-0x7ff8f1a1c000 /lib64/libz.so.1.2.8
0x7ff8f1a1c000-0x7ff8f1c1b000 /lib64/libz.so.1.2.8
0x7ff8f1c1b000-0x7ff8f1c1c000 /lib64/libz.so.1.2.8
0x7ff8f1c1c000-0x7ff8f1c1d000 /lib64/libz.so.1.2.8
0x7ff8f1c1d000-0x7ff8f1c2c000 /lib64/libbz2.so.1.0.6
0x7ff8f1c2c000-0x7ff8f1e2b000 /lib64/libbz2.so.1.0.6
0x7ff8f1e2b000-0x7ff8f1e2c000 /lib64/libbz2.so.1.0.6
0x7ff8f1e2c000-0x7ff8f1e2d000 /lib64/libbz2.so.1.0.6
0x7ff8f1e2d000-0x7ff8f1ed4000 /usr/lib64/libfreetype.so.6.12.3
0x7ff8f1ed4000-0x7ff8f20d4000 /usr/lib64/libfreetype.so.6.12.3
0x7ff8f20d4000-0x7ff8f20da000 /usr/lib64/libfreetype.so.6.12.3
0x7ff8f20da000-0x7ff8f20db000 /usr/lib64/libfreetype.so.6.12.3
0x7ff8f20db000-0x7ff8f212f000 /usr/lib64/liblcms2.so.2.0.6
0x7ff8f212f000-0x7ff8f232e000 /usr/lib64/liblcms2.so.2.0.6
0x7ff8f232e000-0x7ff8f232f000 /usr/lib64/liblcms2.so.2.0.6
0x7ff8f232f000-0x7ff8f2334000 /usr/lib64/liblcms2.so.2.0.6
0x7ff8f2334000-0x7ff8f24c7000 /lib64/libc-2.22.so
0x7ff8f24c7000-0x7ff8f26c7000 /lib64/libc-2.22.so
0x7ff8f26c7000-0x7ff8f26cb000 /lib64/libc-2.22.so
0x7ff8f26cb000-0x7ff8f26cd000 /lib64/libc-2.22.so
0x7ff8f26cd000-0x7ff8f26d1000
0x7ff8f26d1000-0x7ff8f26e7000 /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
0x7ff8f26e7000-0x7ff8f28e6000 /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
0x7ff8f28e6000-0x7ff8f28e7000 /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
0x7ff8f28e7000-0x7ff8f28e8000 /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
0x7ff8f28e8000-0x7ff8f28ee000 /lib64/librt-2.22.so
0x7ff8f28ee000-0x7ff8f2aee000 /lib64/librt-2.22.so
0x7ff8f2aee000-0x7ff8f2aef000 /lib64/librt-2.22.so
0x7ff8f2aef000-0x7ff8f2af0000 /lib64/librt-2.22.so
0x7ff8f2af0000-0x7ff8f2b07000 /lib64/libpthread-2.22.so
0x7ff8f2b07000-0x7ff8f2d06000 /lib64/libpthread-2.22.so
0x7ff8f2d06000-0x7ff8f2d07000 /lib64/libpthread-2.22.so
0x7ff8f2d07000-0x7ff8f2d08000 /lib64/libpthread-2.22.so
0x7ff8f2d08000-0x7ff8f2d0c000
0x7ff8f2d0c000-0x7ff8f2e09000 /lib64/libm-2.22.so
0x7ff8f2e09000-0x7ff8f3008000 /lib64/libm-2.22.so
0x7ff8f3008000-0x7ff8f3009000 /lib64/libm-2.22.so
0x7ff8f3009000-0x7ff8f300a000 /lib64/libm-2.22.so
0x7ff8f300a000-0x7ff8f300c000 /lib64/libdl-2.22.so
0x7ff8f300c000-0x7ff8f320c000 /lib64/libdl-2.22.so
0x7ff8f320c000-0x7ff8f320d000 /lib64/libdl-2.22.so
0x7ff8f320d000-0x7ff8f320e000 /lib64/libdl-2.22.so
0x7ff8f320e000-0x7ff8f387c000 /usr/lib64/libGraphicsMagick.so.3.15.1
0x7ff8f387c000-0x7ff8f3a7b000 /usr/lib64/libGraphicsMagick.so.3.15.1
0x7ff8f3a7b000-0x7ff8f3aa3000 /usr/lib64/libGraphicsMagick.so.3.15.1
0x7ff8f3aa3000-0x7ff8f3afd000 /usr/lib64/libGraphicsMagick.so.3.15.1
0x7ff8f3afd000-0x7ff8f3b01000
0x7ff8f3b01000-0x7ff8f3b23000 /lib64/ld-2.22.so
0x7ff8f3c79000-0x7ff8f3c8e000
0x7ff8f3c8e000-0x7ff8f3c95000 /usr/lib64/gconv/gconv-modules.cache
0x7ff8f3c95000-0x7ff8f3cb8000
/usr/share/locale/it/LC_MESSAGES/libc.mo
0x7ff8f3cb8000-0x7ff8f3d16000
0x7ff8f3d16000-0x7ff8f3d22000
0x7ff8f3d22000-0x7ff8f3d23000 /lib64/ld-2.22.so
0x7ff8f3d23000-0x7ff8f3d24000 /lib64/ld-2.22.so
0x7ff8f3d24000-0x7ff8f3d25000
0x7fffd09c8000-0x7fffd09e9000 [stack]
0x7fffd09f0000-0x7fffd09f2000 [vvar]
0x7fffd09f2000-0x7fffd09f4000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==10139==End of process memory map.
==10139==AddressSanitizer CHECK failed: /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) !=
(0)" (0x0, 0x0)
#0 0x4c973d in AsanCheckFailed /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/asan_rtl.cc:67
#1 0x4d0273 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long) /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:159
#2 0x4d0461 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char
const*, char const*, int, bool) /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183
#3 0x4d949a in __sanitizer::MmapOrDie(unsigned long, char const*, bool)
/var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_posix.cc:122
#4 0x42182f in
__sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*,
unsigned long, unsigned long) /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
#5 0x42182f in
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul,
4398046511104ul, 0ul, __sanitizer::SizeClassMap,
__asan::AsanMapUnmapCallback>,
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul,
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>
, __sanitizer::LargeMmapAllocator ::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul,
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>
*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
#6 0x42182f in __asan::Allocator::Allocate(unsigned long, unsigned long,
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool)
/var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/asan_allocator.cc:368
#7 0x42182f in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/asan_allocator.cc:718
#8 0x4bfe01 in malloc /var/tmp/portage/sys-
devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:53
#9 0x7ff8e887beba in ReadPCXImage /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/pcx.c:467:16
#10 0x7ff8f34a4c4e in ReadImage /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1607:13
#11 0x7ff8f34a4294 in PingImage /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1370:9
#12 0x7ff8f33f5836 in IdentifyImageCommand /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8375:17
#13 0x7ff8f33f9e23 in MagickCommand /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8865:17
#14 0x7ff8f344fc3e in GMCommandSingle /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17379:10
#15 0x7ff8f344e5d1 in GMCommand /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17432:16
#16 0x7ff8f235461f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#17 0x4188d8 in _init (/usr/bin/gm+0x4188d8)
Affected version:
1.3.25
Fixed version:
1.3.26 (not yet released)
Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/b9edafd479b9
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Timeline:
2016-09-09: bug discovered
2016-09-09: bug reported privately to upstream
2016-09-10: no upstream response
2016-09-15: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2016/09/15/graphicsmagick-memory-allocation-failure-in-readpcximage-pcx-c/
Current thread:
- graphicsmagick: memory allocation failure in ReadPCXImage (pcx.c) Agostino Sarubbo (Oct 08)
- Re: graphicsmagick: memory allocation failure in ReadPCXImage (pcx.c) cve-assign (Oct 15)