'[oss-security] imageworsener: memory allocation failure in my_mallocfn (imagew-cmd.c)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] imageworsener: memory allocation failure in my_mallocfn (imagew-cmd.c)
From:       "Agostino Sarubbo" <ago () gentoo ! org>
Date:       2017-04-30 9:11:02
Message-ID: 479277.612964751-sendEmail () localhost
[Download RAW message or body]

------MIME delimiter for sendEmail-238982.946685613
Content-Type: text/plain;
        charset="UTF-8"
Content-Transfer-Encoding: 7bit

Description:
imageworsener is a utility for image scaling and processing.

There is a memory allocation failure, I will show the interesting ASan output,

# imagew $FILE /tmp/out -outfmt bmp
    #8 0x551fc0 in my_mallocfn \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:794:9  #9 \
0x7f37f140c9ae in iw_malloc_ex \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:48:8  #10 \
0x7f37f140cdec in iw_malloc_large \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:77:9  #11 \
0x7f37f136d66c in bmpr_read_uncompressed \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:665:32  \
#12 0x7f37f134ce64 in iwbmp_read_bits \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:910:7  #13 \
0x7f37f134ce64 in iw_read_bmp_file \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:980  #14 \
0x7f37f1349f94 in iw_read_file_by_fmt \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-allfmts.c:66:12  \
#15 0x519304 in iwcmd_run \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1191:6  \
#16 0x515326 in iwcmd_main \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7  \
#17 0x515326 in main \
/tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067  #18 \
0x7f37f035178f in __libc_start_main \
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289  #19 0x41b028 \
in _init (/usr/bin/imagew+0x41b028)

Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/86564051db45b466e5f667111ce00b5eeedc8fb6

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8327

Reproducer:
https://github.com/asarubbo/poc/blob/master/00276-imageworsener-memallocfailure

Timeline:
2017-04-13: bug discovered and reported to upstream
2017-04-12: upstream released a patch for another issue that fixes this issue too
2017-04-27: blog post about the issue
2017-04-29: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/04/27/imageworsener-memory-allocation-failure-in-my_mallocfn-imagew-cmd-c/


--
Agostino Sarubbo
Gentoo Linux Developer


------MIME delimiter for sendEmail-238982.946685613--


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic