Created attachment 764870 [details]
pbmmask-heapoverflow-1

QA REPRODUCER:

valgrind pbmmask pbmmask-heapoverflow-1

should not report Invalid read

BEFORE

devel,15,12/netpbm

$ valgrind -q pbmmask pbmmask-heapoverflow-1
==19208== Invalid read of size 1
==19208==    at 0x108B55: main (pbmmask.c:160)
==19208==  Address 0x57d03ff is 1 bytes before a block of size 1 alloc'd
==19208==    at 0x4C2E04F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19208==    by 0x4E5F2E6: mallocz (mallocvar.c:15)
==19208==    by 0x4E5F2E6: allocRowHeap (mallocvar.c:68)
==19208==    by 0x4E5F2E6: pm_mallocarray2 (mallocvar.c:117)
==19208==    by 0x4E48F95: pm_allocarray (libpm.c:345)
==19208==    by 0x4E4D4EF: pbm_readpbm (libpbm2.c:295)
==19208==    by 0x108AA6: main (pbmmask.c:145)
==19208== 
==19208== Invalid read of size 1
==19208==    at 0x109210: addflood (pbmmask.c:34)
==19208==    by 0x108C0A: main (pbmmask.c:181)
==19208==  Address 0x57d03ff is 1 bytes before a block of size 1 alloc'd
==19208==    at 0x4C2E04F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19208==    by 0x4E5F2E6: mallocz (mallocvar.c:15)
==19208==    by 0x4E5F2E6: allocRowHeap (mallocvar.c:68)
==19208==    by 0x4E5F2E6: pm_mallocarray2 (mallocvar.c:117)
==19208==    by 0x4E48F95: pm_allocarray (libpm.c:345)
==19208==    by 0x4E4D4EF: pbm_readpbm (libpbm2.c:295)
==19208==    by 0x108AA6: main (pbmmask.c:145)
==19208== 
==19208== Conditional jump or move depends on uninitialised value(s)
==19208==    at 0x109213: addflood (pbmmask.c:34)
==19208==    by 0x108C0A: main (pbmmask.c:181)
==19208== 
==19208== Invalid read of size 1
==19208==    at 0x10922B: addflood (pbmmask.c:34)
==19208==    by 0x108C0A: main (pbmmask.c:181)
==19208==  Address 0x57d055f is 1 bytes before a block of size 1 alloc'd
==19208==    at 0x4C2E04F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19208==    by 0x4E5F2E6: mallocz (mallocvar.c:15)
==19208==    by 0x4E5F2E6: allocRowHeap (mallocvar.c:68)
==19208==    by 0x4E5F2E6: pm_mallocarray2 (mallocvar.c:117)
==19208==    by 0x4E48F95: pm_allocarray (libpm.c:345)
==19208==    by 0x108ACB: main (pbmmask.c:147)
==19208== 
==19208== Conditional jump or move depends on uninitialised value(s)
==19208==    at 0x109213: addflood (pbmmask.c:34)
==19208==    by 0x108C16: main (pbmmask.c:182)
==19208== 
==19208== Conditional jump or move depends on uninitialised value(s)
==19208==    at 0x10922F: addflood (pbmmask.c:34)
==19208==    by 0x108C16: main (pbmmask.c:182)
==19208== 
P4
0 24
$

11,10sp3/ImageMagick

$ valgrind -q pbmmask pbmmask-heapoverflow-1
pbmmask: Zero byte allocation
$


PATCH

There's no patch as far as I can see. gdb session shows, that file claims to have 0 columns. Memory allocation, which happens here:

 bits = pbm_readpbm( ifp, &cols, &rows );

will succeed as they use mallocz(), which allocates 1 byte in case of zero argument. However, later in pbmmask.c code asssumes col is greater then zero (col - 1 on several places). For 11/netpbm, the "zero allocation" is not allowed, thus the error.

I am proposing following patch on utility level:

Index: netpbm-10.82.2/editor/pbmmask.c
===================================================================
--- netpbm-10.82.2.orig/editor/pbmmask.c        2018-06-27 13:03:00.431710863 +0200
+++ netpbm-10.82.2/editor/pbmmask.c     2018-06-27 15:45:40.194531538 +0200
@@ -144,6 +144,12 @@ main(int argc, char * argv[]) {

     bits = pbm_readpbm( ifp, &cols, &rows );
     pm_close( ifp );
+    if (cols <= 0 || rows <= 0)
+    {
+      pm_error("zero width or zero height");
+      free(bits);
+      return 0;
+    }
     mask = pbm_allocarray( cols, rows );

     /* Clear out the mask. */

and will notify upstream (via private email, there is no bugtracker or mailinglist). I will submit packages with this patch now and in case upstream will introduce another fix, I will resubmit.


AFTER

devel,15,12/netpbm

$ pbmmask pbmmask-heapoverflow-1 
pbmmask: zero width or zero height
$

Will submit for devel/netpbm, 15/netpbm and 12/netpbm.

I believe all fixed.

This is an autogenerated message for OBS integration:
This bug (1086777) was mentioned in
https://build.opensuse.org/request/show/619410 Factory / netpbm

Upstream commit
https://sourceforge.net/p/netpbm/code/3279/

SUSE-SU-2019:0855-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1086777
CVE References: CVE-2018-8975
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    netpbm-10.80.1-3.3.36
SUSE Linux Enterprise Module for Basesystem 15 (src):    netpbm-10.80.1-3.3.36

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

openSUSE-SU-2019:1200-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1086777
CVE References: CVE-2018-8975
Sources used:
openSUSE Leap 15.0 (src):    netpbm-10.80.1-lp150.2.3.1

SUSE-SU-2019:1645-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1024288,1024291,1086777,1136936
CVE References: CVE-2017-2579,CVE-2017-2580,CVE-2018-8975
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Server 12-SP4 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Server 12-SP3 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    netpbm-10.66.3-8.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

done