On libwmf latest version.
An allocation failure vulnerability was found in function ReadWMFImage ,which allow attackers to cause a denial of service via a crafted file.
==26240==ERROR: AddressSanitizer failed to allocate 0xfe609000 (4267741184) bytes of LargeMmapAllocator (error code: 12) ==26240==Process memory map follows: 0x000000400000-0x0000012e3000 /home/test/Downloads/GM-afl-build/bin/gm 0x0000014e2000-0x0000014e5000 /home/test/Downloads/GM-afl-build/bin/gm 0x0000014e5000-0x000001608000 /home/test/Downloads/GM-afl-build/bin/gm 0x000001608000-0x00000228f000 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x602000000000 0x602000000000-0x602000010000 0x602000010000-0x602e00000000 0x602e00000000-0x602e00010000 0x602e00010000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x603e00000000 0x603e00000000-0x603e00010000 0x603e00010000-0x604000000000 0x604000000000-0x604000010000 0x604000010000-0x604e00000000 0x604e00000000-0x604e00010000 0x604e00010000-0x606000000000 0x606000000000-0x606000010000 0x606000010000-0x606e00000000 0x606e00000000-0x606e00010000 0x606e00010000-0x607000000000 0x607000000000-0x607000010000 0x607000010000-0x607e00000000 0x607e00000000-0x607e00010000 0x607e00010000-0x608000000000 0x608000000000-0x608000010000 0x608000010000-0x608e00000000 0x608e00000000-0x608e00010000 0x608e00010000-0x60a000000000 0x60a000000000-0x60a000010000 0x60a000010000-0x60ae00000000 0x60ae00000000-0x60ae00010000 0x60ae00010000-0x60b000000000 0x60b000000000-0x60b000010000 0x60b000010000-0x60be00000000 0x60be00000000-0x60be00010000 0x60be00010000-0x60c000000000 0x60c000000000-0x60c000010000 0x60c000010000-0x60ce00000000 0x60ce00000000-0x60ce00010000 0x60ce00010000-0x60f000000000 0x60f000000000-0x60f000010000 0x60f000010000-0x60fe00000000 0x60fe00000000-0x60fe00010000 0x60fe00010000-0x610000000000 0x610000000000-0x610000010000 0x610000010000-0x610e00000000 0x610e00000000-0x610e00010000 0x610e00010000-0x611000000000 0x611000000000-0x611000010000 0x611000010000-0x611e00000000 0x611e00000000-0x611e00010000 0x611e00010000-0x612000000000 0x612000000000-0x612000010000 0x612000010000-0x612e00000000 0x612e00000000-0x612e00010000 0x612e00010000-0x614000000000 0x614000000000-0x614000010000 0x614000010000-0x614e00000000 0x614e00000000-0x614e00010000 0x614e00010000-0x616000000000 0x616000000000-0x616000010000 0x616000010000-0x616e00000000 0x616e00000000-0x616e00010000 0x616e00010000-0x618000000000 0x618000000000-0x618000010000 0x618000010000-0x618e00000000 0x618e00000000-0x618e00010000 0x618e00010000-0x619000000000 0x619000000000-0x619000010000 0x619000010000-0x619e00000000 0x619e00000000-0x619e00010000 0x619e00010000-0x61e000000000 0x61e000000000-0x61e000010000 0x61e000010000-0x61ee00000000 0x61ee00000000-0x61ee00010000 0x61ee00010000-0x621000000000 0x621000000000-0x621000010000 0x621000010000-0x621e00000000 0x621e00000000-0x621e00010000 0x621e00010000-0x623000000000 0x623000000000-0x623000010000 0x623000010000-0x623e00000000 0x623e00000000-0x623e00010000 0x623e00010000-0x624000000000 0x624000000000-0x624000010000 0x624000010000-0x624e00000000 0x624e00000000-0x624e00010000 0x624e00010000-0x625000000000 0x625000000000-0x625000010000 0x625000010000-0x625e00000000 0x625e00000000-0x625e00010000 0x625e00010000-0x640000000000 0x640000000000-0x640000003000 0x7fb9759d7000-0x7fb97bf00000 /usr/lib/locale/locale-archive 0x7fb97bf00000-0x7fb97c000000 0x7fb97c100000-0x7fb97c200000 0x7fb97c300000-0x7fb97c400000 0x7fb97c46d000-0x7fb97c600000 0x7fb97c61a000-0x7fb97e96c000 0x7fb97e96c000-0x7fb97e96e000 /usr/lib64/libXau.so.6.0.0 0x7fb97e96e000-0x7fb97eb6e000 /usr/lib64/libXau.so.6.0.0 0x7fb97eb6e000-0x7fb97eb6f000 /usr/lib64/libXau.so.6.0.0 0x7fb97eb6f000-0x7fb97eb70000 /usr/lib64/libXau.so.6.0.0 0x7fb97eb70000-0x7fb97eb91000 /usr/lib64/libxcb.so.1.1.0 0x7fb97eb91000-0x7fb97ed90000 /usr/lib64/libxcb.so.1.1.0 0x7fb97ed90000-0x7fb97ed91000 /usr/lib64/libxcb.so.1.1.0 0x7fb97ed91000-0x7fb97ed92000 /usr/lib64/libxcb.so.1.1.0 0x7fb97ed92000-0x7fb97ed96000 /usr/lib64/libuuid.so.1.3.0 0x7fb97ed96000-0x7fb97ef95000 /usr/lib64/libuuid.so.1.3.0 0x7fb97ef95000-0x7fb97ef96000 /usr/lib64/libuuid.so.1.3.0 0x7fb97ef96000-0x7fb97ef97000 /usr/lib64/libuuid.so.1.3.0 0x7fb97ef97000-0x7fb97efda000 /usr/lib64/libjpeg.so.62.1.0 0x7fb97efda000-0x7fb97f1da000 /usr/lib64/libjpeg.so.62.1.0 0x7fb97f1da000-0x7fb97f1db000 /usr/lib64/libjpeg.so.62.1.0 0x7fb97f1db000-0x7fb97f1dc000 /usr/lib64/libjpeg.so.62.1.0 0x7fb97f1dc000-0x7fb97f1ec000 0x7fb97f1ec000-0x7fb97f3a2000 /usr/lib64/libc-2.17.so 0x7fb97f3a2000-0x7fb97f5a2000 /usr/lib64/libc-2.17.so 0x7fb97f5a2000-0x7fb97f5a6000 /usr/lib64/libc-2.17.so 0x7fb97f5a6000-0x7fb97f5a8000 /usr/lib64/libc-2.17.so 0x7fb97f5a8000-0x7fb97f5ad000 0x7fb97f5ad000-0x7fb97f5c2000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7fb97f5c2000-0x7fb97f7c1000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7fb97f7c1000-0x7fb97f7c2000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7fb97f7c2000-0x7fb97f7c3000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7fb97f7c3000-0x7fb97f7c5000 /usr/lib64/libdl-2.17.so 0x7fb97f7c5000-0x7fb97f9c5000 /usr/lib64/libdl-2.17.so 0x7fb97f9c5000-0x7fb97f9c6000 /usr/lib64/libdl-2.17.so 0x7fb97f9c6000-0x7fb97f9c7000 /usr/lib64/libdl-2.17.so 0x7fb97f9c7000-0x7fb97f9ce000 /usr/lib64/librt-2.17.so 0x7fb97f9ce000-0x7fb97fbcd000 /usr/lib64/librt-2.17.so 0x7fb97fbcd000-0x7fb97fbce000 /usr/lib64/librt-2.17.so 0x7fb97fbce000-0x7fb97fbcf000 /usr/lib64/librt-2.17.so 0x7fb97fbcf000-0x7fb97fbe6000 /usr/lib64/libpthread-2.17.so 0x7fb97fbe6000-0x7fb97fde5000 /usr/lib64/libpthread-2.17.so 0x7fb97fde5000-0x7fb97fde6000 /usr/lib64/libpthread-2.17.so 0x7fb97fde6000-0x7fb97fde7000 /usr/lib64/libpthread-2.17.so 0x7fb97fde7000-0x7fb97fdeb000 0x7fb97fdeb000-0x7fb97feeb000 /usr/lib64/libm-2.17.so 0x7fb97feeb000-0x7fb9800eb000 /usr/lib64/libm-2.17.so 0x7fb9800eb000-0x7fb9800ec000 /usr/lib64/libm-2.17.so 0x7fb9800ec000-0x7fb9800ed000 /usr/lib64/libm-2.17.so 0x7fb9800ed000-0x7fb980102000 /usr/lib64/libz.so.1.2.7 0x7fb980102000-0x7fb980301000 /usr/lib64/libz.so.1.2.7 0x7fb980301000-0x7fb980302000 /usr/lib64/libz.so.1.2.7 0x7fb980302000-0x7fb980303000 /usr/lib64/libz.so.1.2.7 0x7fb980303000-0x7fb980462000 /usr/lib64/libxml2.so.2.9.1 0x7fb980462000-0x7fb980661000 /usr/lib64/libxml2.so.2.9.1 0x7fb980661000-0x7fb980669000 /usr/lib64/libxml2.so.2.9.1 0x7fb980669000-0x7fb98066b000 /usr/lib64/libxml2.so.2.9.1 0x7fb98066b000-0x7fb98066d000 0x7fb98066d000-0x7fb98067c000 /usr/lib64/libbz2.so.1.0.6 0x7fb98067c000-0x7fb98087b000 /usr/lib64/libbz2.so.1.0.6 0x7fb98087b000-0x7fb98087c000 /usr/lib64/libbz2.so.1.0.6 0x7fb98087c000-0x7fb98087d000 /usr/lib64/libbz2.so.1.0.6 0x7fb98087d000-0x7fb9808a2000 /usr/lib64/liblzma.so.5.2.2 0x7fb9808a2000-0x7fb980aa1000 /usr/lib64/liblzma.so.5.2.2 0x7fb980aa1000-0x7fb980aa2000 /usr/lib64/liblzma.so.5.2.2 0x7fb980aa2000-0x7fb980aa3000 /usr/lib64/liblzma.so.5.2.2 0x7fb980aa3000-0x7fb980bdb000 /usr/lib64/libX11.so.6.3.0 0x7fb980bdb000-0x7fb980ddb000 /usr/lib64/libX11.so.6.3.0 0x7fb980ddb000-0x7fb980ddc000 /usr/lib64/libX11.so.6.3.0 0x7fb980ddc000-0x7fb980de1000 /usr/lib64/libX11.so.6.3.0 0x7fb980de1000-0x7fb980df8000 /usr/lib64/libICE.so.6.3.0 0x7fb980df8000-0x7fb980ff7000 /usr/lib64/libICE.so.6.3.0 0x7fb980ff7000-0x7fb980ff8000 /usr/lib64/libICE.so.6.3.0 0x7fb980ff8000-0x7fb980ff9000 /usr/lib64/libICE.so.6.3.0 0x7fb980ff9000-0x7fb980ffd000 0x7fb980ffd000-0x7fb981004000 /usr/lib64/libSM.so.6.0.1 0x7fb981004000-0x7fb981203000 /usr/lib64/libSM.so.6.0.1 0x7fb981203000-0x7fb981204000 /usr/lib64/libSM.so.6.0.1 0x7fb981204000-0x7fb981205000 /usr/lib64/libSM.so.6.0.1 0x7fb981205000-0x7fb981216000 /usr/lib64/libXext.so.6.4.0 0x7fb981216000-0x7fb981415000 /usr/lib64/libXext.so.6.4.0 0x7fb981415000-0x7fb981416000 /usr/lib64/libXext.so.6.4.0 0x7fb981416000-0x7fb981417000 /usr/lib64/libXext.so.6.4.0 0x7fb981417000-0x7fb981433000 /usr/lib64/libwmflite-0.2.so.7.0.1 0x7fb981433000-0x7fb981632000 /usr/lib64/libwmflite-0.2.so.7.0.1 0x7fb981632000-0x7fb981633000 /usr/lib64/libwmflite-0.2.so.7.0.1 0x7fb981633000-0x7fb981634000 /usr/lib64/libwmflite-0.2.so.7.0.1 0x7fb981634000-0x7fb98165d000 /usr/lib64/libpng15.so.15.13.0 0x7fb98165d000-0x7fb98185d000 /usr/lib64/libpng15.so.15.13.0 0x7fb98185d000-0x7fb98185e000 /usr/lib64/libpng15.so.15.13.0 0x7fb98185e000-0x7fb98185f000 /usr/lib64/libpng15.so.15.13.0 0x7fb98185f000-0x7fb981898000 /usr/lib64/libjpeg.so.9.2.0 0x7fb981898000-0x7fb981a98000 /usr/lib64/libjpeg.so.9.2.0 0x7fb981a98000-0x7fb981a99000 /usr/lib64/libjpeg.so.9.2.0 0x7fb981a99000-0x7fb981a9a000 /usr/lib64/libjpeg.so.9.2.0 0x7fb981a9a000-0x7fb981ae9000 /usr/lib64/libjasper.so.1.0.0 0x7fb981ae9000-0x7fb981ce8000 /usr/lib64/libjasper.so.1.0.0 0x7fb981ce8000-0x7fb981ce9000 /usr/lib64/libjasper.so.1.0.0 0x7fb981ce9000-0x7fb981ced000 /usr/lib64/libjasper.so.1.0.0 0x7fb981ced000-0x7fb981cf4000 0x7fb981cf4000-0x7fb981d94000 /usr/lib64/libfreetype.so.6.10.0 0x7fb981d94000-0x7fb981f93000 /usr/lib64/libfreetype.so.6.10.0 0x7fb981f93000-0x7fb981f99000 /usr/lib64/libfreetype.so.6.10.0 0x7fb981f99000-0x7fb981f9a000 /usr/lib64/libfreetype.so.6.10.0 0x7fb981f9a000-0x7fb982009000 /usr/lib64/libtiff.so.5.2.0 0x7fb982009000-0x7fb982209000 /usr/lib64/libtiff.so.5.2.0 0x7fb982209000-0x7fb98220a000 /usr/lib64/libtiff.so.5.2.0 0x7fb98220a000-0x7fb98220d000 /usr/lib64/libtiff.so.5.2.0 0x7fb98220d000-0x7fb98220e000 0x7fb98220e000-0x7fb982263000 /usr/lib64/liblcms2.so.2.0.6 0x7fb982263000-0x7fb982462000 /usr/lib64/liblcms2.so.2.0.6 0x7fb982462000-0x7fb982463000 /usr/lib64/liblcms2.so.2.0.6 0x7fb982463000-0x7fb982468000 /usr/lib64/liblcms2.so.2.0.6 0x7fb982468000-0x7fb9824b4000 /usr/lib64/libwebp.so.4.0.2 0x7fb9824b4000-0x7fb9826b3000 /usr/lib64/libwebp.so.4.0.2 0x7fb9826b3000-0x7fb9826b4000 /usr/lib64/libwebp.so.4.0.2 0x7fb9826b4000-0x7fb9826b5000 /usr/lib64/libwebp.so.4.0.2 0x7fb9826b5000-0x7fb9826b8000 0x7fb9826b8000-0x7fb9826c1000 /usr/lib64/libjbig.so.2.0 0x7fb9826c1000-0x7fb9828c0000 /usr/lib64/libjbig.so.2.0 0x7fb9828c0000-0x7fb9828c1000 /usr/lib64/libjbig.so.2.0 0x7fb9828c1000-0x7fb9828c4000 /usr/lib64/libjbig.so.2.0 0x7fb9828c4000-0x7fb9828e4000 /usr/lib64/ld-2.17.so 0x7fb98290e000-0x7fb982ae3000 0x7fb982ae3000-0x7fb982ae4000 /usr/lib64/ld-2.17.so 0x7fb982ae4000-0x7fb982ae5000 /usr/lib64/ld-2.17.so 0x7fb982ae5000-0x7fb982ae6000 0x7ffe5f54f000-0x7ffe5f570000 [stack] 0x7ffe5f5d8000-0x7ffe5f5da000 [vdso] 0xffffffffff600000-0xffffffffff601000 [vsyscall] ==26240==End of process memory map. ==26240==AddressSanitizer CHECK failed: /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4f3dbf in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:69 #1 0x50b6e5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79 #2 0x4fc380 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 #3 0x504b5e in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132 #4 0x42fe0f in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41 #5 0x42fe0f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70 #6 0x42fe0f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:407 #7 0x4e9789 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67 #8 0x7fb98141b077 in wmf_malloc api.c:482 #9 0x7fb98142b5dd in wmf_scan player.c:143 #10 0xde5766 in ReadWMFImage /home/test/Downloads/GraphicsMagick-1.3.26/coders/wmf.c:2473:20 #11 0x640fbd in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13 #12 0x6404f0 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9 #13 0x5aa668 in IdentifyImageCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8379:17 #14 0x5af409 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17 #15 0x5f6472 in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10 #16 0x5f4daa in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16 #17 0x7fb97f20db34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274 #18 0x4247fb in _start (/home/test/Downloads/GM-afl-build/bin/gm+0x4247fb)
The poc file is in the attachment.
Credit:ADLab of Venustech
Why is this a vulnerability? malloc() should return 0 and the function will then register the allocation failure and give up.