On GraphicsMagick 1.3.26 2017-07-04 Q8.
An allocation failure vulnerability was found in function ReadMNGImage.
==124737==ERROR: AddressSanitizer failed to allocate 0xff002000 (4278198272) bytes of LargeMmapAllocator (error code: 12)
==124737==Process memory map follows:
0x000000400000-0x0000012e3000 /home/test/Downloads/GM-afl-build/bin/gm
0x0000014e2000-0x0000014e5000 /home/test/Downloads/GM-afl-build/bin/gm
0x0000014e5000-0x000001608000 /home/test/Downloads/GM-afl-build/bin/gm
0x000001608000-0x00000228f000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x602e00000000
0x602e00000000-0x602e00010000
0x602e00010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x603e00000000
0x603e00000000-0x603e00010000
0x603e00010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x604e00000000
0x604e00000000-0x604e00010000
0x604e00010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x606e00000000
0x606e00000000-0x606e00010000
0x606e00010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x607e00000000
0x607e00000000-0x607e00010000
0x607e00010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x608e00000000
0x608e00000000-0x608e00010000
0x608e00010000-0x60a000000000
0x60a000000000-0x60a000010000
0x60a000010000-0x60ae00000000
0x60ae00000000-0x60ae00010000
0x60ae00010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60be00000000
0x60be00000000-0x60be00010000
0x60be00010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x60ce00000000
0x60ce00000000-0x60ce00010000
0x60ce00010000-0x60f000000000
0x60f000000000-0x60f000010000
0x60f000010000-0x60fe00000000
0x60fe00000000-0x60fe00010000
0x60fe00010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x610e00000000
0x610e00000000-0x610e00010000
0x610e00010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x611e00000000
0x611e00000000-0x611e00010000
0x611e00010000-0x612000000000
0x612000000000-0x612000010000
0x612000010000-0x612e00000000
0x612e00000000-0x612e00010000
0x612e00010000-0x614000000000
0x614000000000-0x614000010000
0x614000010000-0x614e00000000
0x614e00000000-0x614e00010000
0x614e00010000-0x616000000000
0x616000000000-0x616000010000
0x616000010000-0x616e00000000
0x616e00000000-0x616e00010000
0x616e00010000-0x618000000000
0x618000000000-0x618000010000
0x618000010000-0x618e00000000
0x618e00000000-0x618e00010000
0x618e00010000-0x619000000000
0x619000000000-0x619000010000
0x619000010000-0x619e00000000
0x619e00000000-0x619e00010000
0x619e00010000-0x61a000000000
0x61a000000000-0x61a000010000
0x61a000010000-0x61ae00000000
0x61ae00000000-0x61ae00010000
0x61ae00010000-0x61e000000000
0x61e000000000-0x61e000010000
0x61e000010000-0x61ee00000000
0x61ee00000000-0x61ee00010000
0x61ee00010000-0x621000000000
0x621000000000-0x621000010000
0x621000010000-0x621e00000000
0x621e00000000-0x621e00010000
0x621e00010000-0x623000000000
0x623000000000-0x623000010000
0x623000010000-0x623e00000000
0x623e00000000-0x623e00010000
0x623e00010000-0x624000000000
0x624000000000-0x624000010000
0x624000010000-0x624e00000000
0x624e00000000-0x624e00010000
0x624e00010000-0x625000000000
0x625000000000-0x625000010000
0x625000010000-0x625e00000000
0x625e00000000-0x625e00010000
0x625e00010000-0x62a000000000
0x62a000000000-0x62a000010000
0x62a000010000-0x62ae00000000
0x62ae00000000-0x62ae00010000
0x62ae00010000-0x640000000000
0x640000000000-0x640000003000
0x7f2a5cdd7000-0x7f2a63300000 /usr/lib/locale/locale-archive
0x7f2a63300000-0x7f2a63400000
0x7f2a63500000-0x7f2a63600000
0x7f2a63700000-0x7f2a63800000
0x7f2a63900000-0x7f2a63a00000
0x7f2a63a9f000-0x7f2a65df1000
0x7f2a65df1000-0x7f2a65df3000 /usr/lib64/libXau.so.6.0.0
0x7f2a65df3000-0x7f2a65ff3000 /usr/lib64/libXau.so.6.0.0
0x7f2a65ff3000-0x7f2a65ff4000 /usr/lib64/libXau.so.6.0.0
0x7f2a65ff4000-0x7f2a65ff5000 /usr/lib64/libXau.so.6.0.0
0x7f2a65ff5000-0x7f2a66016000 /usr/lib64/libxcb.so.1.1.0
0x7f2a66016000-0x7f2a66215000 /usr/lib64/libxcb.so.1.1.0
0x7f2a66215000-0x7f2a66216000 /usr/lib64/libxcb.so.1.1.0
0x7f2a66216000-0x7f2a66217000 /usr/lib64/libxcb.so.1.1.0
0x7f2a66217000-0x7f2a6621b000 /usr/lib64/libuuid.so.1.3.0
0x7f2a6621b000-0x7f2a6641a000 /usr/lib64/libuuid.so.1.3.0
0x7f2a6641a000-0x7f2a6641b000 /usr/lib64/libuuid.so.1.3.0
0x7f2a6641b000-0x7f2a6641c000 /usr/lib64/libuuid.so.1.3.0
0x7f2a6641c000-0x7f2a6645f000 /usr/lib64/libjpeg.so.62.1.0
0x7f2a6645f000-0x7f2a6665f000 /usr/lib64/libjpeg.so.62.1.0
0x7f2a6665f000-0x7f2a66660000 /usr/lib64/libjpeg.so.62.1.0
0x7f2a66660000-0x7f2a66661000 /usr/lib64/libjpeg.so.62.1.0
0x7f2a66661000-0x7f2a66671000
0x7f2a66671000-0x7f2a66827000 /usr/lib64/libc-2.17.so
0x7f2a66827000-0x7f2a66a27000 /usr/lib64/libc-2.17.so
0x7f2a66a27000-0x7f2a66a2b000 /usr/lib64/libc-2.17.so
0x7f2a66a2b000-0x7f2a66a2d000 /usr/lib64/libc-2.17.so
0x7f2a66a2d000-0x7f2a66a32000
0x7f2a66a32000-0x7f2a66a47000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f2a66a47000-0x7f2a66c46000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f2a66c46000-0x7f2a66c47000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f2a66c47000-0x7f2a66c48000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f2a66c48000-0x7f2a66c4a000 /usr/lib64/libdl-2.17.so
0x7f2a66c4a000-0x7f2a66e4a000 /usr/lib64/libdl-2.17.so
0x7f2a66e4a000-0x7f2a66e4b000 /usr/lib64/libdl-2.17.so
0x7f2a66e4b000-0x7f2a66e4c000 /usr/lib64/libdl-2.17.so
0x7f2a66e4c000-0x7f2a66e53000 /usr/lib64/librt-2.17.so
0x7f2a66e53000-0x7f2a67052000 /usr/lib64/librt-2.17.so
0x7f2a67052000-0x7f2a67053000 /usr/lib64/librt-2.17.so
0x7f2a67053000-0x7f2a67054000 /usr/lib64/librt-2.17.so
0x7f2a67054000-0x7f2a6706b000 /usr/lib64/libpthread-2.17.so
0x7f2a6706b000-0x7f2a6726a000 /usr/lib64/libpthread-2.17.so
0x7f2a6726a000-0x7f2a6726b000 /usr/lib64/libpthread-2.17.so
0x7f2a6726b000-0x7f2a6726c000 /usr/lib64/libpthread-2.17.so
0x7f2a6726c000-0x7f2a67270000
0x7f2a67270000-0x7f2a67370000 /usr/lib64/libm-2.17.so
0x7f2a67370000-0x7f2a67570000 /usr/lib64/libm-2.17.so
0x7f2a67570000-0x7f2a67571000 /usr/lib64/libm-2.17.so
0x7f2a67571000-0x7f2a67572000 /usr/lib64/libm-2.17.so
0x7f2a67572000-0x7f2a67587000 /usr/lib64/libz.so.1.2.7
0x7f2a67587000-0x7f2a67786000 /usr/lib64/libz.so.1.2.7
0x7f2a67786000-0x7f2a67787000 /usr/lib64/libz.so.1.2.7
0x7f2a67787000-0x7f2a67788000 /usr/lib64/libz.so.1.2.7
0x7f2a67788000-0x7f2a678e7000 /usr/lib64/libxml2.so.2.9.1
0x7f2a678e7000-0x7f2a67ae6000 /usr/lib64/libxml2.so.2.9.1
0x7f2a67ae6000-0x7f2a67aee000 /usr/lib64/libxml2.so.2.9.1
0x7f2a67aee000-0x7f2a67af0000 /usr/lib64/libxml2.so.2.9.1
0x7f2a67af0000-0x7f2a67af2000
0x7f2a67af2000-0x7f2a67b01000 /usr/lib64/libbz2.so.1.0.6
0x7f2a67b01000-0x7f2a67d00000 /usr/lib64/libbz2.so.1.0.6
0x7f2a67d00000-0x7f2a67d01000 /usr/lib64/libbz2.so.1.0.6
0x7f2a67d01000-0x7f2a67d02000 /usr/lib64/libbz2.so.1.0.6
0x7f2a67d02000-0x7f2a67d27000 /usr/lib64/liblzma.so.5.2.2
0x7f2a67d27000-0x7f2a67f26000 /usr/lib64/liblzma.so.5.2.2
0x7f2a67f26000-0x7f2a67f27000 /usr/lib64/liblzma.so.5.2.2
0x7f2a67f27000-0x7f2a67f28000 /usr/lib64/liblzma.so.5.2.2
0x7f2a67f28000-0x7f2a68060000 /usr/lib64/libX11.so.6.3.0
0x7f2a68060000-0x7f2a68260000 /usr/lib64/libX11.so.6.3.0
0x7f2a68260000-0x7f2a68261000 /usr/lib64/libX11.so.6.3.0
0x7f2a68261000-0x7f2a68266000 /usr/lib64/libX11.so.6.3.0
0x7f2a68266000-0x7f2a6827d000 /usr/lib64/libICE.so.6.3.0
0x7f2a6827d000-0x7f2a6847c000 /usr/lib64/libICE.so.6.3.0
0x7f2a6847c000-0x7f2a6847d000 /usr/lib64/libICE.so.6.3.0
0x7f2a6847d000-0x7f2a6847e000 /usr/lib64/libICE.so.6.3.0
0x7f2a6847e000-0x7f2a68482000
0x7f2a68482000-0x7f2a68489000 /usr/lib64/libSM.so.6.0.1
0x7f2a68489000-0x7f2a68688000 /usr/lib64/libSM.so.6.0.1
0x7f2a68688000-0x7f2a68689000 /usr/lib64/libSM.so.6.0.1
0x7f2a68689000-0x7f2a6868a000 /usr/lib64/libSM.so.6.0.1
0x7f2a6868a000-0x7f2a6869b000 /usr/lib64/libXext.so.6.4.0
0x7f2a6869b000-0x7f2a6889a000 /usr/lib64/libXext.so.6.4.0
0x7f2a6889a000-0x7f2a6889b000 /usr/lib64/libXext.so.6.4.0
0x7f2a6889b000-0x7f2a6889c000 /usr/lib64/libXext.so.6.4.0
0x7f2a6889c000-0x7f2a688b8000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7f2a688b8000-0x7f2a68ab7000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7f2a68ab7000-0x7f2a68ab8000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7f2a68ab8000-0x7f2a68ab9000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7f2a68ab9000-0x7f2a68ae2000 /usr/lib64/libpng15.so.15.13.0
0x7f2a68ae2000-0x7f2a68ce2000 /usr/lib64/libpng15.so.15.13.0
0x7f2a68ce2000-0x7f2a68ce3000 /usr/lib64/libpng15.so.15.13.0
0x7f2a68ce3000-0x7f2a68ce4000 /usr/lib64/libpng15.so.15.13.0
0x7f2a68ce4000-0x7f2a68d1d000 /usr/lib64/libjpeg.so.9.2.0
0x7f2a68d1d000-0x7f2a68f1d000 /usr/lib64/libjpeg.so.9.2.0
0x7f2a68f1d000-0x7f2a68f1e000 /usr/lib64/libjpeg.so.9.2.0
0x7f2a68f1e000-0x7f2a68f1f000 /usr/lib64/libjpeg.so.9.2.0
0x7f2a68f1f000-0x7f2a68f6e000 /usr/lib64/libjasper.so.1.0.0
0x7f2a68f6e000-0x7f2a6916d000 /usr/lib64/libjasper.so.1.0.0
0x7f2a6916d000-0x7f2a6916e000 /usr/lib64/libjasper.so.1.0.0
0x7f2a6916e000-0x7f2a69172000 /usr/lib64/libjasper.so.1.0.0
0x7f2a69172000-0x7f2a69179000
0x7f2a69179000-0x7f2a69219000 /usr/lib64/libfreetype.so.6.10.0
0x7f2a69219000-0x7f2a69418000 /usr/lib64/libfreetype.so.6.10.0
0x7f2a69418000-0x7f2a6941e000 /usr/lib64/libfreetype.so.6.10.0
0x7f2a6941e000-0x7f2a6941f000 /usr/lib64/libfreetype.so.6.10.0
0x7f2a6941f000-0x7f2a6948e000 /usr/lib64/libtiff.so.5.2.0
0x7f2a6948e000-0x7f2a6968e000 /usr/lib64/libtiff.so.5.2.0
0x7f2a6968e000-0x7f2a6968f000 /usr/lib64/libtiff.so.5.2.0
0x7f2a6968f000-0x7f2a69692000 /usr/lib64/libtiff.so.5.2.0
0x7f2a69692000-0x7f2a69693000
0x7f2a69693000-0x7f2a696e8000 /usr/lib64/liblcms2.so.2.0.6
0x7f2a696e8000-0x7f2a698e7000 /usr/lib64/liblcms2.so.2.0.6
0x7f2a698e7000-0x7f2a698e8000 /usr/lib64/liblcms2.so.2.0.6
0x7f2a698e8000-0x7f2a698ed000 /usr/lib64/liblcms2.so.2.0.6
0x7f2a698ed000-0x7f2a69939000 /usr/lib64/libwebp.so.4.0.2
0x7f2a69939000-0x7f2a69b38000 /usr/lib64/libwebp.so.4.0.2
0x7f2a69b38000-0x7f2a69b39000 /usr/lib64/libwebp.so.4.0.2
0x7f2a69b39000-0x7f2a69b3a000 /usr/lib64/libwebp.so.4.0.2
0x7f2a69b3a000-0x7f2a69b3d000
0x7f2a69b3d000-0x7f2a69b46000 /usr/lib64/libjbig.so.2.0
0x7f2a69b46000-0x7f2a69d45000 /usr/lib64/libjbig.so.2.0
0x7f2a69d45000-0x7f2a69d46000 /usr/lib64/libjbig.so.2.0
0x7f2a69d46000-0x7f2a69d49000 /usr/lib64/libjbig.so.2.0
0x7f2a69d49000-0x7f2a69d69000 /usr/lib64/ld-2.17.so
0x7f2a69d93000-0x7f2a69f68000
0x7f2a69f68000-0x7f2a69f69000 /usr/lib64/ld-2.17.so
0x7f2a69f69000-0x7f2a69f6a000 /usr/lib64/ld-2.17.so
0x7f2a69f6a000-0x7f2a69f6b000
0x7fff9cefd000-0x7fff9cf1e000 [stack]
0x7fff9cf87000-0x7fff9cf89000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==124737==End of process memory map.
==124737==AddressSanitizer CHECK failed: /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
#0 0x4f3dbf in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:69
#1 0x50b6e5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
#2 0x4fc380 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
#3 0x504b5e in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132
#4 0x42fe0f in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41
#5 0x42fe0f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70
#6 0x42fe0f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:407
#7 0x4e9789 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
#8 0xa5dd34 in ReadMNGImage /home/test/Downloads/GraphicsMagick-1.3.26/coders/png.c:3980:21
#9 0x640fbd in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
#10 0x6404f0 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
#11 0x5aa668 in IdentifyImageCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8379:17
#12 0x5af409 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
#13 0x5f6472 in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
#14 0x5f4daa in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
#15 0x7f2a66692b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
#16 0x4247fb in _start (/home/test/Downloads/GM-afl-build/bin/gm+0x4247fb)
The poc file is in the attachment.
Credit:ADLab of Venustech
This is a small MNG file with a MEND chunk that has length ff000000.
Confirmed that gm crashes on it.
I've pushed a fix for Bob to check in.
For completeness I tested a variant of the file with MEND length 7fffffff (the largest valid PNG chunk length) and, although there was a few-second delay while the malloc occurred, it did not crash.
I am not seeing any large memory usage with the test case after Glenn's fix.