-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-17724: heap-buffer-overflow src/iptc.cpp:354 in Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) #210
Comments
This has been assigned CVE-2017-17724 |
This appears to be fixed on 'master'
|
@clanmills you need to build with ASan to detect the issue. Without ASan I see same output. |
Thanks, Henri. I've reproduced this and I am investigating. |
Also can be triggered with Valgrind:
|
I know what's causing this and I'm working on a fix. The code in Exiv2::IptcData::printStructure is reading bytes past the end of buffer. The current code is:
The following modification allows the "crashing tiff" (2018-01-09-exiv2-crash-002.tiff) to work:
I will revisit the IPTC spec to remind myself about the data format of an IPTC buffer and how it is terminated. |
@kbabiochSUSE There is a secondary issue (as you've observed) with Exiv2::Internal::binaryToString(). By "secondary", I mean this not the principle reason for the crash in this bug report and my work-around ensures that binaryToString() isn't called. However, you have made a valid observation that binaryToString() can cause issues and I'll investigate that once I've dealt with IptcData::printStructure(). |
I think the "secondary" issue is already logged. #209 The reason that it's "secondary" in this context is because Valgrind failed to detect the "primary" issue of the buffer overrun in Exiv2::IptcData::printStructure which was detected when clang compiled the code with -fsanitize=address |
Is there a patch for this CVE-2017-17724? |
This got fixed by #461. |
http://bugs.fi/media/afl/exiv2/2018-01-09-exiv2-crash-002.tiff
4be0655
The text was updated successfully, but these errors were encountered: