CVE-2017-1000126, 127, 128: multiple memory safety issues

[anarcat]

In this discussion, three CVE identifiers were assigned to exiv2 and they do not seem to be documented here. Those are:

• CVE-2017-1000126 - exiv2 0.26 contains a Stack out of bounds read in webp parser
• CVE-2017-1000127 - Exiv2 0.26 contains a heap buffer overflow in tiff parser
• CVE-2017-1000128 - Description | Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser

All three are triggered by afl when exiv is compiled with ASAN.

[anarcat]

Note that I cannot reproduce those issues in a Debian "wheezy" environment (exiv2 0.23) without ASAN, but running under valgrind, which sometimes reproduces ASAN issues.

[carnil]

@anarcat I think it would be more ideal to track the three individual issues with three bugs, can you split them up per CVE?

[anarcat]

sure, will do.

[anarcat]

i filed #175, #176 and #177 to followup on the issues individually. apologies for the copy-pasted summary, but i didn't know what else to put in there. :p

[piponazo]

Thanks for creating those detailed issues. We will take care of them :)