Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CVE-2017-18005: NULL Pointer Dereference while extracting metadata of a malformed tiff #168
There's a NULL Pointer Dereference occurring during the metadata extraction from a malformed tiff file.
The hexdump of the test-case is:
The relevant ASAN output is:
It looks like the NULL-Pointer Dereference is being triggered by a 0 value which is being used in the toLong function in the value of n, which is being dereferenced in
This is indicated by the GDB backtrace:
Exiv2 version 0.26 001a00 (64 bit build)
At least with exiv2json the culprit is probably the function which reads in the image metadata or one of the following functions, as the crash occurs due to a std::vector with zero capacity being dereferenced unsafely. This will probably be trickier than I was hoping.
No, sorry not yet. I didn't have the time to debug this further, as I am currently working on some improvements under the hood. I hope to take a look at this issue soon, but I can't promise a certain date.
If you think that this is more important (e.g. because you can actively exploit this), please tell me (in the case of an active exploit, please do so via email).