New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-18005: NULL Pointer Dereference while extracting metadata of a malformed tiff #168
Comments
|
Thanks for the report. However I can neither reproduce this with the master branch or with the 0.26 branch (that is version 0.26 + backported security fixes). Could you try your reproducer against those two branches and report back if the issue is resolved? |
|
I found this issue on the master branch, git-cloned from this repository. |
|
You are right, apparently I did not properly cleanup the
repository. Your file also triggers a different kind of crash with
exiv2json, so I suspect that the bug is triggered somewhere else.
Anyway, I'll take a look at this.
|
|
Very interesting, let me check out the crash with exiv2json. |
|
At least with exiv2json the culprit is probably the function which reads in the image metadata or one of the following functions, as the crash occurs due to a std::vector with zero capacity being dereferenced unsafely. This will probably be trickier than I was hoping. |
|
Hey was this fixed? |
|
No, sorry not yet. I didn't have the time to debug this further, as I am currently working on some improvements under the hood. I hope to take a look at this issue soon, but I can't promise a certain date. If you think that this is more important (e.g. because you can actively exploit this), please tell me (in the case of an active exploit, please do so via email). |
|
This issue has been assigned CVE-2017-18005 |
|
FYI this will be fixed by #199 |
|
#199 has been merged |
There's a NULL Pointer Dereference occurring during the metadata extraction from a malformed tiff file.
This can be triggered by running
./exiv2 -v pr -P EIXxgklnycsvth %file%on the test-case, exiv2-nullpointerderef.zip.The hexdump of the test-case is:
The relevant ASAN output is:
It looks like the NULL-Pointer Dereference is being triggered by a 0 value which is being used in the toLong function in the value of n, which is being dereferenced in
return value_[n];This is indicated by the GDB backtrace:
Debug info:
Exiv2 version 0.26 001a00 (64 bit build)
Compiler: gcc 7.2, clang 4.0.1-6
OS: Ubuntu 17.10
The text was updated successfully, but these errors were encountered: