New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-17669: heap-buffer-overflow in Exiv2::Internal::PngChunk::keyTXTChunk #187
Comments
|
Thanks, I'll take a look at this. |
|
This issue was assigned CVE-2017-17669 |
|
@Young-X Which commit of exiv2 did you build? And can you please retry with the current HEAD? |
|
4be0655 crashes with similar heap-buffer-overflow output from ASan in amd64. Is there a good way to add this reproducer to automated tests? |
|
I believe the relevant code for the first error is this: I think there are several errors here, that are applicable if the key is too big or isn't correctly null terminated.
|
|
Here is a potential patch that I believe will solve the issues: diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index da4ccd01..b54bcdac 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -107,15 +107,17 @@ namespace Exiv2 {
{
// From a tEXt, zTXt, or iTXt chunk,
// we get the key, it's a null terminated string at the chunk start
- if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14);
- const byte *key = data.pData_ + (stripHeader ? 8 : 0);
+ const int offset = stripHeader ? 8 : 0;
+ if (data.size_ <= offset) throw Error(14);
+ const byte *key = data.pData_ + offset;
// Find null string at end of key.
int keysize=0;
- for ( ; key[keysize] != 0 ; keysize++)
+ while (key[keysize] != 0)
{
+ keysize++;
// look if keysize is valid.
- if (keysize >= data.size_)
+ if (keysize+offset >= data.size_)
throw Error(14);
} |
|
@brianmay Thanks for your investigation. I believe you are right and the patch looks good too. Thanks a lot! |
|
Thank You, Brian for this contribution. Looks about right to me! If you'd like to investigate other issues, the team would value your contribution. We're all over-worked and under-paid volunteers. All assistance is appreciated! https://www.youtube.com/watch?v=3Fv57Lbhmqg |
|
The fix for this and the reproducer are on master. |
Description
There is a heap-buffer-overflow vulnerability in Exiv2.
The command is: ./exiv2 POC
Stack trace with asan:
PoC
PoC https://github.com/Young-X/pocs/blob/master/Exiv2/issue_187
Author
Credit to Young_X@VARAS, IIE
The text was updated successfully, but these errors were encountered: