AddressSanitizer: heap-buffer-overflow at iptc.cpp:464

[hongxuchen]

When running exiv2 $FILE (5940c6f) against psd files, , ASAN reports a heap-buffer-overflow error.

POCs:
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_iptc.cpp:464_1.psd?raw=true
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_iptc.cpp:464_2.psd?raw=true

ASAN output:

=================================================================
==16384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000140 at pc 0x7ffa566b54a2 bp 0x7ffec76dfe10 sp 0x7ffec76dfe08
READ of size 1 at 0x611000000140 thread T0
    #0 0x7ffa566b54a1 in Exiv2::IptcParser::decode(Exiv2::IptcData&, unsigned char const*, unsigned int) /home/hongxu/FOT/exiv2/src/iptc.cpp:464:33
    #1 0x7ffa567442d3 in Exiv2::PsdImage::readResourceBlock(unsigned short, unsigned int) /home/hongxu/FOT/exiv2/src/psdimage.cpp:246:21
    #2 0x7ffa56743675 in Exiv2::PsdImage::readMetadata() /home/hongxu/FOT/exiv2/src/psdimage.cpp:229:13
    #3 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
    #4 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
    #5 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
    #6 0x7ffa54cb7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x435ac9 in _start (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x435ac9)

0x611000000140 is located 0 bytes to the right of 256-byte region [0x611000000040,0x611000000140)
allocated by thread T0 here:
    #0 0x52e0f0 in operator new[](unsigned long) (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x52e0f0)
    #1 0x58c8df in Exiv2::DataBuf::DataBuf(long) /home/hongxu/FOT/exiv2/include/exiv2/types.hpp:215:46
    #2 0x7ffa56743f58 in Exiv2::PsdImage::readResourceBlock(unsigned short, unsigned int) /home/hongxu/FOT/exiv2/src/psdimage.cpp:243:25
    #3 0x7ffa56743675 in Exiv2::PsdImage::readMetadata() /home/hongxu/FOT/exiv2/src/psdimage.cpp:229:13
    #4 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
    #5 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
    #6 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
    #7 0x7ffa54cb7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/exiv2/src/iptc.cpp:464:33 in Exiv2::IptcParser::decode(Exiv2::IptcData&, unsigned char const*, unsigned int)
Shadow bytes around the buggy address:
  0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8020: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c227fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16384==ABORTING

[piponazo]

I could easily reproduce the issue but It does not seem trivial to fix. The problem seems to be in the IptcParser::decode method.

[clanmills]

Thanks for looking into this @piponazo I've also assigned myself to this. It's unlikely that we will resolve this for v0.27 RC1.

[piponazo]

This issue was fixed by #518

[hongxuchen]

@piponazo Do you mind us requesting CVEs?

[piponazo]

@hongxuchen what do you mean exactly ? I am not familiar with how the CVEs works, but I am happy with the reports you are sending about vulnerabilities in Exiv2. We will try to fix all the possible vulnerabilities that are reported.

[hongxuchen]

@piponazo I mean requesting a CVE id for a vulnerability. Usually it is requested by a developer, a reporter, or someone else, given that the vulnerability can be confirmed.

[piponazo]

For me it is totally fine, as far as it does not increase my workload 😉 . We will analyse the issues reported to our github project, either if they have an assigned CVE or not.

[hongxuchen]

@piponazo Thanks, we will post CVE ID if accepted 😃

[hongxuchen]

This got assigned CVE-2018-19107 (root cause is same as CVE-2018-19108 however two vulnerabilities).