New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation fault caused by uncontrolled recursion of Exiv2::Image::printIFDStructure (src/image.cpp) #216
Comments
|
Thanks. Today's my birthday. Thank you for this present! Interesting file. You've inserted an IFD that "points to" the IFD at the top of the file. Ingeneous trap: The "quick fix" is to test for unreasonably deep recursion and throw: I'll think about this for a day or two and submit a fix. |
|
I've done some additional work on this. We have an outstanding PR to remove printIFDStructure() from readMetadata(). #180 I've provided a patch for tiffimage.cpp (and other image types) which I believe will allow that PR to be submitted. As that removes the call to printStructure() from readMetadata(), this crash will also disappear. However printStructure() is a useful debugging function and I would like to retain it in the code base at the moment. The "quick fix" mentioned above: should be added to the the code to prevent an infinite recursive loop which can be caused by the command |
|
@clanmills, Happy birthday to you! Thanks a lot for your contribution to the exiv2 community. |
The bug got resolved by PR Exiv2#461 (slices).
The bug got resolved by PR Exiv2#461 (slices).
On latest version of exiv2 (0.26) and the latest master branch:
there is a segmentation fault caused by uncontrolled recursion of Exiv2::Image::printIFDStructure function in src/image.cpp file, which could cause a denial of service via a crafted tif file.
This issue could be reproduced by command:
exiv2 $POC.POC is available at: https://github.com/ProbeFuzzer/poc/blob/master/exiv2/exiv2_0-26_exiv2_uncontrolled-recursion_printIFDStructure.tif
The stack trace is as follows:
The text was updated successfully, but these errors were encountered: