Bugzilla – Bug 1006739
VUL-1: CVE-2016-9011: libwmf: Re: libwmf: memory allocation failure in wmf_malloc (api.c)
Last modified: 2022-05-06 16:19:32 UTC
CVE-2016-9011 From: Agostino Sarubbo <ago () gentoo org> Date: Tue, 18 Oct 2016 17:17:37 +0200 Description: libwmf is a library for reading vector images in Microsøft’s native Windøws Metafile Format (WMF) and for either (a) displaying them in, e.g., an X window; or (b) converting them to more standard/open file formats such as, e.g., the W3C’s XML-based Scaleable Vector Graphic (SVG) format. A fuzzing through imagemagick revealed a memory allocation failure. It was first reported to imagemagick developers(to double-check) which stated that the issue is in libwmf. Since the libwmf project is dead the issue has not been reported elsewhere. The complete ASan output: # identify $FILE ==25497==ERROR: AddressSanitizer failed to allocate 0xfe769000 (4269182976) bytes of LargeMmapAllocator (error code: 12) ==25497==Process memory map follows: [..cut here..] ==25497==End of process memory map. ==25497==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler- rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67 #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler- rt/lib/sanitizer_common/sanitizer_common.cc:159 #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler- rt/lib/sanitizer_common/sanitizer_common.cc:183 #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler- rt/lib/sanitizer_common/sanitizer_posix.cc:122 #4 0x42208f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler- rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033 #5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> , __sanitizer::LargeMmapAllocator ::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> *, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys- devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler- rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302 #6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368 #7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718 #8 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53 #9 0x7f7173b4d337 in wmf_malloc /tmp/portage/media-libs/libwmf-0.2.8.4- r6/work/libwmf-0.2.8.4/src/api.c:482 #10 0x7f7173b5d2f8 in wmf_scan /tmp/portage/media-libs/libwmf-0.2.8.4- r6/work/libwmf-0.2.8.4/src/player.c:143 #11 0x7f7173d6dcf7 in ReadWMFImage /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/wmf.c:2675:13 #12 0x7f717fde7b12 in ReadImage /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13 #13 0x7f718057f406 in ReadStream /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9 #14 0x7f717fde65ca in PingImage /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9 #15 0x7f717fde6e25 in PingImages /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10 #16 0x7f717f66c4c3 in IdentifyImageCommand /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18 #17 0x7f717f70226a in MagickCommandGenesis /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14 #18 0x4f1fb5 in MagickMain /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10 #19 0x4f1fb5 in main /tmp/portage/media- gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176 #20 0x7f717e5a661f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #21 0x419138 in _init (/usr/bin/magick+0x419138) Affected version: 0.2.8.4 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Timeline: 2016-09-14: bug discovered 2016-10-18: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9011 http://seclists.org/oss-sec/2016/q4/228
Created attachment 699109 [details] 00015-libwmf-memalloc-wmf_malloc QA REPRODUCER: convert 00015-libwmf-memalloc-wmf_malloc foo.jpg
bugbot adjusting priority
As a matter of fact, I submitted an upgrade to 0.2.12 into sle12 and sle15, so if this was ever fixed upstream, it will be fixed for us
The reproducer is clearly attached with testcase to this bug. The fix is in src/player.c of 0.2.12: // NEW code, fix it verifies that it can read to advertised size: U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); if (nMaxRecordSize) { //before allocating memory do a sanity check on size by seeking //to claimed end to see if its possible. We're constrained here //by the api and existing implementations to not simply seeking //to SEEK_END. So use what we have to skip to the last byte and //try and read it. const long nPos = WMF_TELL (API); WMF_SEEK (API, nPos + nMaxRecordSize - 1); if (ERR (API)) { WMF_DEBUG (API,"bailing..."); return (API->err); } int byte = WMF_READ (API); if (byte == (-1)) { WMF_ERROR (API,"Unexpected EOF!"); API->err = wmf_E_EOF; return (API->err); } WMF_SEEK (API, nPos); } // Marcus: this was the failing call: P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
SUSE-SU-2022:1516-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1006739,1123522,1174075 CVE References: CVE-2016-9011,CVE-2019-6978 JIRA References: Sources used: openSUSE Leap 15.4 (src): libwmf-0.2.12-150000.4.4.1 openSUSE Leap 15.3 (src): libwmf-0.2.12-150000.4.4.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): libwmf-0.2.12-150000.4.4.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): libwmf-0.2.12-150000.4.4.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): libwmf-0.2.12-150000.4.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1560-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1006739,1123522,1174075 CVE References: CVE-2016-9011,CVE-2019-6978 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): libwmf-0.2.12-243.3.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libwmf-0.2.12-243.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.