Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <948662.72140959-sendEmail@localhost>
Date: Tue, 23 May 2017 08:26:01 +0000
From: "Agostino Sarubbo" <ago@...too.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: autotrace: multiple vulnerabilities (The autotrace nightmare)

Description:
autotrace is a program for converting bitmaps to vector graphics.

Time ago I tried to fuzz autotrace, but the first attempt resulted in a crash-by-default so I was unable to complete the task. See CVE-2016-7392 ā€“ autotrace: heap-based buffer overflow in pstoedit_suffix_table_init (output-pstoedit.c) for more info about.
Some days ago I noticed that the debian team patched the mentioned issue ( you can blame them for the following you will see šŸ˜€ ), so I took the patch and I started the job. Iā€™m sure there are  duplicates, or better to say, issues that have the same root cause. But for completeness Iā€™m providing all stacktraces/testcases.
Since we applied several patches, Iā€™m providing the tarball as well, to verify the lines where the faults happen.
There are enough issues to kill the package from each repository since the latest upstream release was about 15 years ago.

Some details to avoid to repeat them multiple times.
ā€“ reproducible with: autotrace $FILE
ā€“ affected version: 0.31.1
ā€“ Fixed version: N/A
ā€“ Commit fix: N/A

==27066==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x7f42e63f224f bp 0x7ffe8cc02b70 sp 0x7ffe8cc02b68                                                                         
WRITE of size 1 at 0x602000000071 thread T0                                                                                                                                                                       
    #0 0x7f42e63f224e in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12                                                                                       
    #1 0x7f42e63edfaf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3                                                                                      
    #2 0x7f42e64842e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13                                                                                       
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16                                                                                                            
    #4 0x7f42e54df680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                        
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)                                                                                                                                                            
                                                                                                                                                                                                                  
0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071)                                                                                                                   
allocated by thread T0 here:                                                                                                                                                                                      
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74                                                                          
    #1 0x7f42e64849e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2                                                                                        
    #2 0x7f42e63eded4 in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:239:12                                                                                     
    #3 0x7f42e64842e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13                                                                                       
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16                                                                                                            
    #5 0x7f42e54df680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12 in pnm_load_ascii
Reproducer:
HEAP-input-pnm.c-303-12.PBM
CVE:
CVE-2017-9151

#########################################

==15561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000008e at pc 0x7ff8acddc761 bp 0x7ffcd65a9bf0 sp 0x7ffcd65a9be8
READ of size 1 at 0x60300000008e thread T0
    #0 0x7ff8acddc760 in pnm_load_raw /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:346:41
    #1 0x7ff8acdd5faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7ff8ace6c2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7ff8abec7680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60300000008e is located 0 bytes to the right of 30-byte region [0x603000000070,0x60300000008e)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7ff8ace6c9e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7ff8acdd5ed4 in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:239:12
    #3 0x7ff8ace6c2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7ff8abec7680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:346:41 in pnm_load_raw
Reproducer:
HEAP-input-pnm.c-346-41.PBM
CVE:
CVE-2017-9152

#########################################

==11769==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000005ba at pc 0x7f1540eec0d1 bp 0x7ffc27a48c20 sp 0x7ffc27a48c18
WRITE of size 1 at 0x6160000005ba thread T0
    #0 0x7f1540eec0d0 in pnm_load_rawpbm /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:13
    #1 0x7f1540ee6faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f1540f7d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f153ffd8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x6160000005ba is located 0 bytes to the right of 570-byte region [0x616000000380,0x6160000005ba)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f1540f7d9e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7f1540ee6ed4 in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:239:12
    #3 0x7f1540f7d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f153ffd8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:13 in pnm_load_rawpbm
Reproducer:
HEAP-input-pnm.c-391-13.PBM
CVE:
CVE-2017-9153

#########################################

==15741==ERROR: AddressSanitizer: SEGV on unknown address 0x7fabc702e804 (pc 0x7fabcc84c7bb bp 0x7ffd2d0598d0 sp 0x7ffd2d0598a0 T0)
==15741==The signal is caused by a READ memory access.
    #0 0x7fabcc84c7ba in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7fabcc872d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7fabcc866b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7fabcc85c2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7fabcc85a592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7fabcc8505df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7fabcb8a9680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR
Reproducer:
SEGV-color.c.16-11.PBM
CVE:
CVE-2017-9154

#########################################

==10703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9d7f436fad bp 0x7ffff7bfce10 sp 0x7ffff7bfccc0 T0)
==10703==The signal is caused by a READ memory access.
==10703==Hint: address points to the zero page.
    #0 0x7f9d7f436fac in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #1 0x7f9d7f4cd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #2 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #3 0x7f9d7e528680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3 in input_pnm_reader
Reproducer:
SEGV-input-pnm.c-243-3.PBM
CVE:
CVE-2017-9155

#########################################

==11174==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6d831eb74b bp 0x7ffc4e65fcb0 sp 0x7ffc4e65fb80 T0)
==11174==The signal is caused by a WRITE memory access.
==11174==Hint: address points to the zero page.
    #0 0x7f6d831eb74a in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12
    #1 0x7f6d831e7faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f6d8327e2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f6d822d9680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:303:12 in pnm_load_ascii
Reproducer:
SEGV-input-pnm.c-303-12.PBM
CVE:
CVE-2017-9156

#########################################

==28602==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f48c4e62a5d bp 0x7ffd95ea1cb0 sp 0x7ffd95ea1b80 T0)
==28602==The signal is caused by a WRITE memory access.
==28602==Hint: address points to the zero page.
    #0 0x7f48c4e62a5c in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:306:14
    #1 0x7f48c4e5efaf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f48c4ef52e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f48c3f50680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:306:14 in pnm_load_ascii
Reproducer:
SEGV-input-pnm.c-306-14.PBM
CVE:
CVE-2017-9157

#########################################

==28887==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f743bc8b10e bp 0x00000000000f sp 0x7ffeef5b4b98 T0)
==28887==The signal is caused by a WRITE memory access.
==28887==Hint: address points to the zero page.
    #0 0x7f743bc8b10d  /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/memcpy.S:71
    #1 0x7f743bc79ebd in __GI__IO_file_xsgetn /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/libio/fileops.c:1392
    #2 0x7f743bc6f20f in fread /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/libio/iofread.c:38
    #3 0x7f743cb3e505 in pnm_load_raw /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:336:11
    #4 0x7f743cb37faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #5 0x7f743cbce2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #6 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #7 0x7f743bc29680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/memcpy.S:71
Reproducer:
SEGV-input-pnm.c-336-11.PBM
CVE:
CVE-2017-9158

#########################################

==12246==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4ffc714627 bp 0x7ffcb0118cb0 sp 0x7ffcb0118c30 T0)
==12246==The signal is caused by a WRITE memory access.
==12246==Hint: address points to the zero page.
    #0 0x7f4ffc714626 in pnm_load_rawpbm /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:15
    #1 0x7f4ffc70ffaf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #2 0x7f4ffc7a62e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f4ffb801680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:391:15 in pnm_load_rawpbm
Reproducer:
SEGV-input-pnm.c-391-15.PBM
CVE:
CVE-2017-9159

#########################################

==23827==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0793e00620 at pc 0x7f0798f0581a bp 0x7fff2523daf0 sp 0x7fff2523dae8
WRITE of size 1 at 0x7f0793e00620 thread T0
    #0 0x7f0798f05819 in pnmscanner_gettoken /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:458:12
    #1 0x7f0798f0713e in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:294:5
    #2 0x7f0798f03faf in input_pnm_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:243:3
    #3 0x7f0798f9a2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f0797ff5680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

Address 0x7f0793e00620 is located in stack of thread T0 at offset 544 in frame
    #0 0x7f0798f05e9f in pnm_load_ascii /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:263

  This frame has 1 object(s):
    [32, 544) 'buf' <== Memory access at offset 544 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-pnm.c:458:12 in pnmscanner_gettoken
Reproducer:
STACK-input-pnm.c-458-12.PBM
CVE:
CVE-2017-9160

#########################################

autotrace.c:188:23: runtime error: signed integer overflow: 46486 * 46485 cannot be represented in type 'int'
Reproducer:
UNDEF-autotrace.c-188-23.PBM
CVE:
CVE-2017-9161

#########################################

autotrace.c:191:2: runtime error: signed integer overflow: 65535 * 65529 cannot be represented in type 'int'
Reproducer:
UNDEF-autotrace.c-191-2.PBM
CVE:
CVE-2017-9162

#########################################

pxl-outline.c:106:54: runtime error: signed integer overflow: 65535 * 53531 cannot be represented in type 'int'
Reproducer:
UNDEF-pxl-outline.c-106-54.PBM
CVE:
CVE-2017-9163

#########################################

==1166==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000880c at pc 0x7f9aa579b946 bp 0x7ffca93d7890 sp 0x7ffca93d7888
READ of size 1 at 0x62d00000880c thread T0
    #0 0x7f9aa579b945 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7f9aa57c1d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7f9aa57b5b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7f9aa57ab2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7f9aa57a9592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7f9aa579f5df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7f9aa47f8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x62d00000880c is located 8 bytes to the right of 33796-byte region [0x62d000000400,0x62d000008804)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f9aa5711116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7f9aa5711116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f9aa579d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f9aa47f8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR
Reproducer:
HEAP-color.c-16-11.BMP
CVE:
CVE-2017-9164

#########################################

==6460==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x7fea3aae195b bp 0x7ffe69932b70 sp 0x7ffe69932b68
READ of size 1 at 0x602000000071 thread T0
    #0 0x7fea3aae195a in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:17:11
    #1 0x7fea3aaef153 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:125:19
    #2 0x7fea3aae55df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #3 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #4 0x7fea39b3e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fea3aa57116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7fea3aa57116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fea3aae32e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fea39b3e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:17:11 in GET_COLOR
Reproducer:
HEAP-color.c-17-11.BMP
CVE:
CVE-2017-9165

#########################################

==9854==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000d81 at pc 0x7f66a5a2e971 bp 0x7ffd049fb890 sp 0x7ffd049fb888
READ of size 1 at 0x61f000000d81 thread T0
    #0 0x7f66a5a2e970 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:18:11
    #1 0x7f66a5a54d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7f66a5a48fd2 in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:836:16
    #3 0x7f66a5a3e2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7f66a5a3c592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7f66a5a325df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7f66a4a8b680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x61f000000d81 is located 0 bytes to the right of 3329-byte region [0x61f000000080,0x61f000000d81)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f66a59a4116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7f66a59a4116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f66a5a302e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f66a4a8b680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:18:11 in GET_COLOR
Reproducer:
HEAP-color.c-18-11.BMP
CVE:
CVE-2017-9166

#########################################

==6435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7ff19cd36604 bp 0x7fff53b20c50 sp 0x7fff53b20c48
WRITE of size 1 at 0x60200000006d thread T0
    #0 0x7ff19cd36603 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:337:25
    #1 0x7ff19cd36603 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7ff19cdbd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7ff19be18680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7ff19cd30fc1 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:309:7
    #2 0x7ff19cd30fc1 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7ff19cdbd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7ff19be18680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:337:25 in ReadImage
Reproducer:
HEAP-input-bmp.c-337-25.BMP
CVE:
CVE-2017-9167

#########################################

==1216==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7fbacd3ae631 bp 0x7ffdb62cfc50 sp 0x7ffdb62cfc48
WRITE of size 1 at 0x60200000006d thread T0
    #0 0x7fbacd3ae630 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25
    #1 0x7fbacd3ae630 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fbacd4352e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fbacc490680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fbacd3a8fc1 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:309:7
    #2 0x7fbacd3a8fc1 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fbacd4352e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fbacc490680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25 in ReadImage
Reproducer:
HEAP-input-bmp.c-353-25.BMP
CVE:
CVE-2017-9168

#########################################

==6260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000068 at pc 0x7f9f33109651 bp 0x7fff2313dc50 sp 0x7fff2313dc48
WRITE of size 1 at 0x607000000068 thread T0
    #0 0x7f9f33109650 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:355:25
    #1 0x7f9f33109650 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f9f331902e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f9f321eb680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x607000000068 is located 0 bytes to the right of 72-byte region [0x607000000020,0x607000000068)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f9f3318eb13 in at_fitting_opts_new /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:51:3
    #2 0x509455 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:82:24
    #3 0x7f9f321eb680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:355:25 in ReadImage
Reproducer:
HEAP-input-bmp.c-355-25.BMP
CVE:
CVE-2017-9169

#########################################

==6415==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006d at pc 0x7f53cbb18669 bp 0x7ffd2e82ac50 sp 0x7ffd2e82ac48
WRITE of size 1 at 0x60200000006d thread T0
    #0 0x7f53cbb18668 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25
    #1 0x7f53cbb18668 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f53cbb9f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f53cabfa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x60200000006d is located 3 bytes to the left of 3-byte region [0x602000000070,0x602000000073)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f53cbb12fc1 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:309:7
    #2 0x7f53cbb12fc1 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f53cbb9f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f53cabfa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25 in ReadImage
Reproducer:
HEAP-input-bmp.c-370-25.BMP
CVE:
CVE-2017-9170

#########################################

==6455==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb7800fe801 at pc 0x7fb7848c85c7 bp 0x7ffc39b0ec50 sp 0x7ffc39b0ec48
READ of size 1 at 0x7fb7800fe801 thread T0
    #0 0x7fb7848c85c6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:492:24
    #1 0x7fb7848c85c6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fb78494f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fb7839aa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fb7800fe801 is located 0 bytes to the right of 655361-byte region [0x7fb78005e800,0x7fb7800fe801)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fb7848c3116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7fb7848c3116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fb78494f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fb7839aa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:492:24 in ReadImage
Reproducer:
HEAP-input-bmp.c-492-24.BMP
CVE:
CVE-2017-9171

#########################################

==6652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x7f80c1d6e5e7 bp 0x7ffd0fd20c50 sp 0x7ffd0fd20c48
WRITE of size 1 at 0x6020000000b1 thread T0
    #0 0x7f80c1d6e5e6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:496:29
    #1 0x7f80c1d6e5e6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f80c1df52e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f80c0e50680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f80c1d6da41 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:486:7
    #2 0x7f80c1d6da41 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f80c1df52e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f80c0e50680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:496:29 in ReadImage
Reproducer:
HEAP-input-bmp.c-496-29.BMP
CVE:
CVE-2017-9172

#########################################

==6562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe5db1fc800 at pc 0x7fe637b9d5f7 bp 0x7ffcd7777c50 sp 0x7ffcd7777c48
WRITE of size 1 at 0x7fe5db1fc800 thread T0
    #0 0x7fe637b9d5f6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:497:29
    #1 0x7fe637b9d5f6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fe637c242e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fe636c7f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fe5db1fc800 is located 0 bytes to the right of 83898368-byte region [0x7fe5d61f9800,0x7fe5db1fc800)
allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fe637b9ca41 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:486:7
    #2 0x7fe637b9ca41 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7fe637c242e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fe636c7f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:497:29 in ReadImage
Reproducer:
HEAP-input-bmp.c-497-29.BMP
CVE:
CVE-2017-9173

#########################################

==3794==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb79d28c2c9 (pc 0x7fb819bbb8af bp 0x7ffcb8a228d0 sp 0x7ffcb8a228a0 T0)
==3794==The signal is caused by a READ memory access.
    #0 0x7fb819bbb8ae in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:21:23
    #1 0x7fb819be1d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7fb819bd5b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7fb819bcb2ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7fb819bc9592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7fb819bbf5df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7fb818c18680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:21:23 in GET_COLOR
Reproducer:
SEGV-color.c-21-23.BMP
CVE:
CVE-2017-9174

#########################################

==6582==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc6edefe800 (pc 0x7fc7f37e70a0 bp 0x7ffcdd383e10 sp 0x7ffcdd383c60 T0)
==6582==The signal is caused by a WRITE memory access.
    #0 0x7fc7f37e709f in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25
    #1 0x7fc7f37e709f in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fc7f386f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fc7f28ca680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:353:25 in ReadImage
Reproducer:
SEGV-input-bmp.c-353-25.BMP
CVE:
CVE-2017-9175

#########################################

==29001==ERROR: AddressSanitizer: SEGV on unknown address 0x602600000064 (pc 0x7f4698d176b5 bp 0x7fff96527e10 sp 0x7fff96527c60 T0)
==29001==The signal is caused by a WRITE memory access.
    #0 0x7f4698d176b4 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25
    #1 0x7f4698d176b4 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f4698d9f2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f4697dfa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:370:25 in ReadImage
Reproducer:
SEGV-input-bmp.c-370-25.BMP
CVE:
CVE-2017-9176

#########################################

==6445==ERROR: AddressSanitizer: SEGV on unknown address 0x170344731d00 (pc 0x7f562a18a7ce bp 0x7ffe24662e10 sp 0x7ffe24662c60 T0)
==6445==The signal is caused by a READ memory access.
    #0 0x7f562a18a7cd in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:390:12
    #1 0x7f562a18a7cd in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7f562a2142e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f562926f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:390:12 in ReadImage
Reproducer:
SEGV-input-bmp.c-390-12.BMP
CVE:
CVE-2017-9177

#########################################

==6450==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbf9c7ae200 (pc 0x7fbda21ddde7 bp 0x7fffce040e10 sp 0x7fffce040c60 T0)
==6450==The signal is caused by a WRITE memory access.
    #0 0x7fbda21ddde6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:421:11
    #1 0x7fbda21ddde6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fbda22692e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fbda12c4680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:421:11 in ReadImage
Reproducer:
SEGV-input-bmp.c-421-11.BMP
CVE:
CVE-2017-9178

#########################################

==6420==ERROR: AddressSanitizer: SEGV on unknown address 0x114a61dc3b1f (pc 0x7fb614a28dc8 bp 0x7ffc640a6e10 sp 0x7ffc640a6c60 T0)
==6420==The signal is caused by a READ memory access.
    #0 0x7fb614a28dc7 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:425:14
    #1 0x7fb614a28dc7 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fb614ab42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fb613b0f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:425:14 in ReadImage
Reproducer:
SEGV-input-bmp.c-425-14.BMP
CVE:
CVE-2017-9179

#########################################

==6430==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb696759bc7 bp 0x7fffc7440e10 sp 0x7fffc7440c60 T0)
==6430==The signal is caused by a READ memory access.
==6430==Hint: address points to the zero page.
    #0 0x7fb696759bc6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:440:14
    #1 0x7fb696759bc6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fb6967e42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fb69583f680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:440:14 in ReadImage
Reproducer:
SEGV-input-bmp.c-440-14.BMP
CVE:
CVE-2017-9180

#########################################

==6799==ERROR: AddressSanitizer: SEGV on unknown address 0x7fe7fa7fe800 (pc 0x7fe90010491c bp 0x7ffef16afe10 sp 0x7ffef16afc60 T0)
==6799==The signal is caused by a WRITE memory access.
    #0 0x7fe90010491b in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c
    #1 0x7fe90010491b in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #2 0x7fe90018d2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7fe8ff1e8680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c in ReadImage
Reproducer:
SEGV-input-bmp.c.BMP
CVE:
CVE-2017-9181

#########################################

==12448==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f428790192a at pc 0x7f428f289946 bp 0x7fffa4721890 sp 0x7fffa4721888
READ of size 1 at 0x7f428790192a thread T0
    #0 0x7f428f289945 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7f428f2afd6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7f428f2a3b7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7f428f2992ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7f428f297592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7f428f28d5df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7f428e2e6680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7f428790192a is located 298 bytes inside of 33545727-byte region [0x7f4287901800,0x7f42898ff5ff)
freed by thread T0 here:
    #0 0x4cff00 in __interceptor_cfree /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:55
    #1 0x7f428f2041f6 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:501:7
    #2 0x7f428f2041f6 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f428f28b2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f428e2e6680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4d00b8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f428f1ff116 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:319:7
    #2 0x7f428f1ff116 in input_bmp_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-bmp.c:241
    #3 0x7f428f28b2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7f428e2e6680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR
Reproducer:
UAF-color.c-16-11.BMP
CVE:
CVE-2017-9182

#########################################

input-bmp.c:309:7: runtime error: signed integer overflow: 1676736000 * 3 cannot be represented in type 'int'
Reproducer:
UNDEF-autotrace.c-309-7.BMP
CVE:
CVE-2017-9183

#########################################

input-bmp.c:314:7: runtime error: signed integer overflow: 32776 * 4194305 cannot be represented in type 'int'
Reproducer:
UNDEF-autotrace.c-314-7.BMP
CVE:
CVE-2017-9184

#########################################

input-bmp.c:319:7: runtime error: signed integer overflow: 1379841 * 8445184 cannot be represented in type 'int'
Reproducer:
UNDEF-autotrace.c-319-7.BMP
CVE:
CVE-2017-9185

#########################################

input-bmp.c:326:17: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Reproducer:
UNDEF-autotrace.c-326-17.BMP
CVE:
CVE-2017-9186

#########################################

input-bmp.c:486:7: runtime error: signed integer overflow: 1073741827 * 3 cannot be represented in type 'int'
Reproducer:
UNDEF-input-bmp.c-486-7.BMP
CVE:
CVE-2017-9187

#########################################

input-bmp.c:516:63: runtime error: left shift of 128 by 24 places cannot be represented in type 'int'
Reproducer:
UNDEF-input-bmp.c-516-63.BMP
CVE:
CVE-2017-9188

#########################################

==12009==ERROR: AddressSanitizer: unknown-crash on address 0x7fbb91586d21 at pc 0x7fbb91230946 bp 0x7ffe088d8890 sp 0x7ffe088d8888
READ of size 1 at 0x7fbb91586d21 thread T0
    #0 0x7fbb91230945 in GET_COLOR /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11
    #1 0x7fbb91256d6c in is_outline_edge /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:606:8
    #2 0x7fbb9124ab7d in next_point /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:875:16
    #3 0x7fbb912402ef in find_one_outline /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:232:13
    #4 0x7fbb9123e592 in find_outline_pixels /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/pxl-outline.c:136:25
    #5 0x7fbb912345df in at_splines_new_full /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:314:14
    #6 0x50dad0 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:147:13
    #7 0x7fbb9028d680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

Address 0x7fbb91586d21 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/color.c:16:11 in GET_COLOR
Reproducer:
UNKNOWN-color.c-16-11.BMP
CVE:
CVE-2017-9189

#########################################

==4658==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x613000000200 in thread T0                                   
    #0 0x4cff00 in __interceptor_cfree /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:55
    #1 0x7fd75068d29e in free_bitmap /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/bitmap.c:24:5                                  
    #2 0x7fd7506a077d in at_bitmap_free /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:203:3                           
    #3 0x50dd23 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:173:3                                                
    #4 0x7fd74f6fa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                           
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)                                                                                               
                                                                                                                                                     
0x613000000200 is located 48 bytes inside of 538976288-byte region [0x6130000001d0,0x6130202021f0)                                                   
==4658==AddressSanitizer CHECK failed: /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.cc:178 "((res.trace)) != (0)" (0x0, 0x0)                                                                                                                  
    #0 0x4da09f in AsanCheckFailed /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_rtl.cc:69             
    #1 0x4f4e05 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/sanitizer_common/sanitizer_termination.cc:79                                                         
    #2 0x42875c in GetStackTraceFromId /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.cc:178
    #3 0x42875c in __asan::HeapAddressDescription::Print() const /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.cc:395
    #4 0x42a19b in __asan::AddressDescription::Print(char const*) const /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_descriptions.h:225
    #5 0x42a19b in __asan::ErrorFreeNotMalloced::Print() /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_errors.cc:148
    #6 0x4d712b in __asan::ErrorDescription::Print() /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_errors.h:374
    #7 0x4d712b in __asan::ScopedInErrorReport::~ScopedInErrorReport() /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_report.cc:169
    #8 0x4d712b in __asan::ReportFreeNotMalloced(unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_report.cc:275
    #9 0x41f46d in __asan::Allocator::ReportInvalidFree(void*, unsigned char, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:617
    #10 0x41f46d in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:507
    #11 0x41f46d in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:560
    #12 0x41f46d in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_allocator.cc:773
    #13 0x4cfedc in __interceptor_cfree /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:58
    #14 0x7fd75068d29e in free_bitmap /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/bitmap.c:24:5
    #15 0x7fd7506a077d in at_bitmap_free /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:203:3
    #16 0x50dd23 in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:173:3
    #17 0x7fd74f6fa680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #18 0x41a708 in _init (/usr/bin/autotrace+0x41a708)
Reproducer:
BADFREE-bitmap.c-24-5.TGA
CVE:
CVE-2017-9190

#########################################

==4247==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001f0 at pc 0x0000004b97d8 bp 0x7ffc8908ac20 sp 0x7ffc8908a3d0
WRITE of size 4 at 0x6140000001f0 thread T0
    #0 0x4b97d7 in __asan_memcpy /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:453
    #1 0x7f76fde92d68 in rle_fread /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:252:15
    #2 0x7f76fde8f322 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:514:12
    #3 0x7f76fde8f322 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7f76fdf132e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7f76fcf6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x6140000001f0 is located 0 bytes to the right of 432-byte region [0x614000000040,0x6140000001f0)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f76fdf139e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7f76fde8f081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7f76fde8f081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7f76fdf132e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7f76fcf6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:453 in __asan_memcpy
Reproducer:
HEAP-input-tga.c-252-15.TGA
CVE:
CVE-2017-9191

#########################################

==3665==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd1da8f5803 at pc 0x0000004b9b35 bp 0x7ffcc2ab6cb0 sp 0x7ffcc2ab6460
WRITE of size 2147385265 at 0x7fd1da8f5803 thread T0
    #0 0x4b9b34 in __asan_memset /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:457
    #1 0x7fd1dfe2052e in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:528:7
    #2 0x7fd1dfe2052e in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #3 0x7fd1dfea42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fd1deeff680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fd1da8f5803 is located 0 bytes to the right of 2147188739-byte region [0x7fd15a93d800,0x7fd1da8f5803)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7fd1dfea49e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7fd1dfe20081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7fd1dfe20081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7fd1dfea42e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7fd1deeff680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_intercept
Reproducer:
HEAP-input-tga.c-528-7.TGA
CVE:
CVE-2017-9192

#########################################

==4277==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000ce at pc 0x7f0fd82f5740 bp 0x7fffa1c10cb0 sp 0x7fffa1c10ca8             
READ of size 1 at 0x6020000000ce thread T0                                                                                                           
    #0 0x7f0fd82f573f in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:538:33                               
    #1 0x7f0fd82f573f in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157                           
    #2 0x7f0fd83762e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13                          
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16                                               
    #4 0x7f0fd73d1680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                           
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)                                                                                               
                                                                                                                                                     
Address 0x6020000000ce is a wild pointer.                                                                                                            
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:538:33 in ReadImage
Reproducer:
HEAP-input-tga.c-538-33.TGA
CVE:
CVE-2017-9193

#########################################

==4417==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6e03dfea81 at pc 0x7f6e09772720 bp 0x7ffc16306cb0 sp 0x7ffc16306ca8
READ of size 1 at 0x7f6e03dfea81 thread T0
    #0 0x7f6e0977271f in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:559:29
    #1 0x7f6e0977271f in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #2 0x7f6e097f32e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f6e0884e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7f6e03dfea81 is located 1 bytes to the right of 122167936-byte region [0x7f6dfc97c800,0x7f6e03dfea80)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f6e097f39e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7f6e0976f081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7f6e0976f081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7f6e097f32e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7f6e0884e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:559:29 in ReadImage
Reproducer:
HEAP-input-tga.c-559-29.TGA
CVE:
CVE-2017-9194

#########################################

==4272==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000322 at pc 0x7f119fdf26b8 bp 0x7ffc12807cb0 sp 0x7ffc12807ca8
READ of size 1 at 0x602000000322 thread T0
    #0 0x7f119fdf26b7 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:620:27
    #1 0x7f119fdf26b7 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #2 0x7f119fe732e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #3 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #4 0x7f119eece680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

Address 0x602000000322 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:620:27 in ReadImage
Reproducer:
HEAP-input-tga.c-620-27.TGA
CVE:
CVE-2017-9195

#########################################

==4317==ERROR: AddressSanitizer: negative-size-param: (size=-393212)
    #0 0x4b9c19 in __asan_memset /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:457
    #1 0x7fb89cb5952e in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:528:7
    #2 0x7fb89cb5952e in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #3 0x7fb89cbdd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #4 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #5 0x7fb89bc38680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a708 in _init (/usr/bin/autotrace+0x41a708)

0x7fb81763d800 is located 0 bytes inside of 2147188739-byte region [0x7fb81763d800,0x7fb8975f5803)
allocated by thread T0 here:
    #0 0x4d02b0 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7fb89cbdd9e1 in at_bitmap_init /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:191:2
    #2 0x7fb89cb59081 in ReadImage /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:490:11
    #3 0x7fb89cb59081 in input_tga_reader /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/input-tga.c:157
    #4 0x7fb89cbdd2e9 in at_bitmap_read /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/autotrace.c:142:13
    #5 0x50da1e in main /tmp/portage/media-gfx/autotrace-0.31.1-r8/work/autotrace-0.31.1/main.c:133:16
    #6 0x7fb89bc38680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: negative-size-param /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_interceptors.cc:457 in __asan_memset
Reproducer:
NEGATIVESIZE-input-tga.c-528-7.TGA
CVE:
CVE-2017-9196

#########################################

input-tga.c:498:55: runtime error: signed integer overflow: 1491099865 * 3 cannot be represented in type 'int'                                       
SUMMARY: AddressSanitizer: undefined-behavior input-tga.c:498:55 in                                                                                  
input-tga.c:508:18: runtime error: signed integer overflow: 77871 * 57445 cannot be represented in type 'int'                                        
SUMMARY: AddressSanitizer: undefined-behavior input-tga.c:508:18 in                                                                                  
input-tga.c:192:19: runtime error: signed integer overflow: 1491099865 * 4 cannot be represented in type 'int'                                       
SUMMARY: AddressSanitizer: undefined-behavior input-tga.c:192:19 in                                                                                  
input-tga.c:528:63: runtime error: signed integer overflow: 1491099865 * 4 cannot be represented in type 'int' 
Reproducer:
UNDEF-input-tga.c.TGA
CVE:
CVE-2017-9197
CVE-2017-9198
CVE-2017-9199
CVE-2017-9200

#########################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Reproducer:
https://github.com/asarubbo/poc/blob/master/00285-autotrace-multiple-vulnerabilities.tar

Sources:
https://github.com/asarubbo/poc/blob/master/00286-autotrace-sources.tar.xz

Timeline:
2017-04-10: bugs discovered
2017-05-20: blog post about the issues
2017-05-23: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/05/20/autotrace-multiple-vulnerabilities-the-autotrace-nightmare/

--
Agostino Sarubbo
Gentoo Linux Developer


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.