heap-buffer-overflow /home/hsalo/src/potrace-1.15/src/bitmap.h:148 bm_dup
Transforms bitmaps into vector graphics
Brought to you by:
selinger
There is heap-buffer-overflow in 1.15 release aswell. I'm not sure if this is a new case or incomplete fix for previous issue. Seems to reproduce also with different output formats.
/home/hsalo/builds/potrace/1.15/bin/potrace -o /dev/null potrace-1.15-heap-buffer-overflow-bm_dup.sample ================================================================= ==8530==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x4749e8 bp 0x7fff2a4ac990 sp 0x7fff2a4ac988 READ of size 8 at 0x60200000efd0 thread T0 #0 0x4749e7 in bm_dup /home/hsalo/src/potrace-1.15/src/bitmap.h:148 #1 0x4749e7 in bm_to_pathlist /home/hsalo/src/potrace-1.15/src/decompose.c:470 #2 0x458bbc in potrace_trace /home/hsalo/src/potrace-1.15/src/potracelib.c:76 #3 0x40afbc in process_file /home/hsalo/src/potrace-1.15/src/main.c:1108 #4 0x405e63 in main /home/hsalo/src/potrace-1.15/src/main.c:1256 #5 0x7f1118924b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #6 0x409f8c (/home/hsalo/builds/potrace/1.15/bin/potrace+0x409f8c) 0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1) allocated by thread T0 here: #0 0x7f111921e885 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54885) #1 0x413962 in bm_new /home/hsalo/src/potrace-1.15/src/bitmap.h:121 #2 0x413962 in bm_readbody_pnm /home/hsalo/src/potrace-1.15/src/bitmap_io.c:168 #3 0x413962 in bm_read /home/hsalo/src/potrace-1.15/src/bitmap_io.c:135 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/potrace-1.15/src/bitmap.h:148 bm_dup Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 00 02 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8530==ABORTING
Henri, I have been unable to reproduce this particular bug. What compiler options are you using? I used these steps:
./configure
make CADD="-Wall -fsanitize=address"
./src/potrace -o /dev/null potrace-1.15-heap-buffer-overflow-bm_dup.sample
and it is not reproducing it with potrace 1.15 (or 1.14). In either case I get the expected output "invalid ppm file". The same compiler option does reproduce your previous bug 22. Are you sure you attached the correct file?
Thanks, -- Peter
Thanks for quick reply. I'll check this tomorrow.
I can only reproduce this after building the sofware with american fuzzy lop fuzzer. I'm not sure about the reason.
You can close this issue.
1.15 with ./configure && make -j
OK, I'm closing this bug. It is normal for the program to have some memory unfreed when exiting with an error message.