CVE-2017-17724: heap-buffer-overflow src/iptc.cpp:354 in Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) #210
Comments
This has been assigned CVE-2017-17724 |
This appears to be fixed on 'master'
|
@clanmills you need to build with ASan to detect the issue. Without ASan I see same output. |
Thanks, Henri. I've reproduced this and I am investigating. |
Also can be triggered with Valgrind:
|
I know what's causing this and I'm working on a fix. The code in Exiv2::IptcData::printStructure is reading bytes past the end of buffer. The current code is:
The following modification allows the "crashing tiff" (2018-01-09-exiv2-crash-002.tiff) to work:
I will revisit the IPTC spec to remind myself about the data format of an IPTC buffer and how it is terminated. |
@kbabiochSUSE There is a secondary issue (as you've observed) with Exiv2::Internal::binaryToString(). By "secondary", I mean this not the principle reason for the crash in this bug report and my work-around ensures that binaryToString() isn't called. However, you have made a valid observation that binaryToString() can cause issues and I'll investigate that once I've dealt with IptcData::printStructure(). |
I think the "secondary" issue is already logged. #209 The reason that it's "secondary" in this context is because Valgrind failed to detect the "primary" issue of the buffer overrun in Exiv2::IptcData::printStructure which was detected when clang compiled the code with -fsanitize=address |
Is there a patch for this CVE-2017-17724? |
This got fixed by #461. |
http://bugs.fi/media/afl/exiv2/2018-01-09-exiv2-crash-002.tiff
4be0655
The text was updated successfully, but these errors were encountered: