Closed
Description
VERSION
exiv 2 0.27.4.1
https://github.com/Exiv2/exiv2/tree/0.27-maintenance
REPRODUCE
Compile exiv2 with asan:
CC=clang CXX=clang++ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_FLAGS="-fsanitize=address" \
-DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
Dowload testcases:
https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487
https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487.exv
Run command: exiv2 in tests_1bd0a5f4935b053f33ac00f931dde1f47a043487
=================================================================
==119384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000585e at pc 0x0000004c4d0a bp 0x7ffef1036370 sp 0x7ffef1035b20
READ of size 4294967293 at 0x62600000585e thread T0
#0 0x4c4d09 in __asan_memcpy (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4c4d09)
#1 0x7f40c9907d88 in Exiv2::Internal::CrwMap::encode0x1810(Exiv2::Image const&, Exiv2::Internal::CrwMapping const*, Exiv2::Internal::CiffHeader*) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4c8d88)
#2 0x7f40c9911007 in Exiv2::Internal::CrwMap::encode(Exiv2::Internal::CiffHeader*, Exiv2::Image const&) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4d2007)
#3 0x7f40c9769376 in Exiv2::CrwImage::writeMetadata() (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x32a376)
#4 0x541653 in (anonymous namespace)::metacopy(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, bool) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x541653)
#5 0x545049 in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x545049)
#6 0x4fddf3 in main (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fddf3)
#7 0x7f40c8ede1e1 in __libc_start_main /usr/src/debug/glibc-2.32-37-g760e1d2878/csu/../csu/libc-start.c:314:16
#8 0x4224cd in _start (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4224cd)
0x62600000585e is located 0 bytes to the right of 10078-byte region [0x626000003100,0x62600000585e)
allocated by thread T0 here:
#0 0x4fad47 in operator new[](unsigned long) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fad47)
#1 0x7f40c98688b1 in Exiv2::DataBuf::alloc(long) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4298b1)
#2 0x541653 in (anonymous namespace)::metacopy(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, bool) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x541653)
#3 0x545049 in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x545049)
#4 0x4fddf3 in main (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fddf3)
#5 0x7f40c8ede1e1 in __libc_start_main /usr/src/debug/glibc-2.32-37-g760e1d2878/csu/../csu/libc-start.c:314:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4c4d09) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c4c7fff8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff8b00: 00 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa
0x0c4c7fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==119384==ABORTING
Credit: Zhen Zhou of NSFOCUS Security Team