Skip to content

heap-buffer-overflow Read in Exiv2::Internal::CrwMap::encode #1530

Closed
@henices

Description

@henices

VERSION
exiv 2 0.27.4.1
https://github.com/Exiv2/exiv2/tree/0.27-maintenance

REPRODUCE

Compile exiv2 with asan:

CC=clang CXX=clang++ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_FLAGS="-fsanitize=address" \
-DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Dowload testcases:

https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487
https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487.exv

Run command: exiv2 in tests_1bd0a5f4935b053f33ac00f931dde1f47a043487

=================================================================
==119384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000585e at pc 0x0000004c4d0a bp 0x7ffef1036370 sp 0x7ffef1035b20
READ of size 4294967293 at 0x62600000585e thread T0
    #0 0x4c4d09 in __asan_memcpy (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4c4d09)
    #1 0x7f40c9907d88 in Exiv2::Internal::CrwMap::encode0x1810(Exiv2::Image const&, Exiv2::Internal::CrwMapping const*, Exiv2::Internal::CiffHeader*) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4c8d88)
    #2 0x7f40c9911007 in Exiv2::Internal::CrwMap::encode(Exiv2::Internal::CiffHeader*, Exiv2::Image const&) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4d2007)
    #3 0x7f40c9769376 in Exiv2::CrwImage::writeMetadata() (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x32a376)
    #4 0x541653 in (anonymous namespace)::metacopy(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, bool) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x541653)
    #5 0x545049 in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x545049)
    #6 0x4fddf3 in main (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fddf3)
    #7 0x7f40c8ede1e1 in __libc_start_main /usr/src/debug/glibc-2.32-37-g760e1d2878/csu/../csu/libc-start.c:314:16
    #8 0x4224cd in _start (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4224cd)

0x62600000585e is located 0 bytes to the right of 10078-byte region [0x626000003100,0x62600000585e)
allocated by thread T0 here:
    #0 0x4fad47 in operator new[](unsigned long) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fad47)
    #1 0x7f40c98688b1 in Exiv2::DataBuf::alloc(long) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4298b1)
    #2 0x541653 in (anonymous namespace)::metacopy(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, bool) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x541653)
    #3 0x545049 in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x545049)
    #4 0x4fddf3 in main (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fddf3)
    #5 0x7f40c8ede1e1 in __libc_start_main /usr/src/debug/glibc-2.32-37-g760e1d2878/csu/../csu/libc-start.c:314:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4c4d09) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c4c7fff8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff8b00: 00 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa
  0x0c4c7fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==119384==ABORTING

Credit: Zhen Zhou of NSFOCUS Security Team

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions