heap-buffer-overflow /home/hsalo/src/potrace-1.15/src/bitmap.h:148 bm_dup
Transforms bitmaps into vector graphics
Brought to you by:
selinger
Menu
▾
▴
1 Attachments
#23 heap-buffer-overflow /home/hsalo/src/potrace-1.15/src/bitmap.h:148 bm_dup
There is heap-buffer-overflow in 1.15 release aswell. I'm not sure if this is a new case or incomplete fix for previous issue. Seems to reproduce also with different output formats.
/home/hsalo/builds/potrace/1.15/bin/potrace -o /dev/null potrace-1.15-heap-buffer-overflow-bm_dup.sample
=================================================================
==8530==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x4749e8 bp 0x7fff2a4ac990 sp 0x7fff2a4ac988
READ of size 8 at 0x60200000efd0 thread T0
#0 0x4749e7 in bm_dup /home/hsalo/src/potrace-1.15/src/bitmap.h:148
#1 0x4749e7 in bm_to_pathlist /home/hsalo/src/potrace-1.15/src/decompose.c:470
#2 0x458bbc in potrace_trace /home/hsalo/src/potrace-1.15/src/potracelib.c:76
#3 0x40afbc in process_file /home/hsalo/src/potrace-1.15/src/main.c:1108
#4 0x405e63 in main /home/hsalo/src/potrace-1.15/src/main.c:1256
#5 0x7f1118924b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#6 0x409f8c (/home/hsalo/builds/potrace/1.15/bin/potrace+0x409f8c)
0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
#0 0x7f111921e885 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54885)
#1 0x413962 in bm_new /home/hsalo/src/potrace-1.15/src/bitmap.h:121
#2 0x413962 in bm_readbody_pnm /home/hsalo/src/potrace-1.15/src/bitmap_io.c:168
#3 0x413962 in bm_read /home/hsalo/src/potrace-1.15/src/bitmap_io.c:135
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/potrace-1.15/src/bitmap.h:148 bm_dup
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 00 02
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8530==ABORTING
Henri, I have been unable to reproduce this particular bug. What compiler options are you using? I used these steps:
./configure
make CADD="-Wall -fsanitize=address"
./src/potrace -o /dev/null potrace-1.15-heap-buffer-overflow-bm_dup.sample
and it is not reproducing it with potrace 1.15 (or 1.14). In either case I get the expected output "invalid ppm file". The same compiler option does reproduce your previous bug 22. Are you sure you attached the correct file?
Thanks, -- Peter
Thanks for quick reply. I'll check this tomorrow.
I can only reproduce this after building the sofware with american fuzzy lop fuzzer. I'm not sure about the reason.
You can close this issue.
1.15 with ./configure && make -j
OK, I'm closing this bug. It is normal for the program to have some memory unfreed when exiting with an error message.