a bug in Exiv2::Internal::stringFormat

[xiaoqx]

a bug results to segment fault in Exiv2::Internal::stringFormat, and it maybe a string format vulnerability which could be exploited.
the debug info as follows:
Breakpoint 1, Exiv2::Internal::stringFormat (format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s") at image.cpp:1013
1013 rc = vsnprintf(&buffer[0], buffer.size(), format, args);
gdb-peda$ n

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffd540 --> 0x7ffffbad8001
RCX: 0xffffffffffffffff
RDX: 0x28 ('(')
RSI: 0x7fffffe8
RDI: 0x1000000000000
RBP: 0x7fffffffd530 --> 0x644b70 (" 63 | 0xfffffff")
RSP: 0x7fffffffcf50 --> 0x0
RIP: 0x7ffff6d06943 (<_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi])
R8 : 0x7fffffff
R9 : 0x7ffff7fe3780 (0x00007ffff7fe3780)
R10: 0x7ffff707bfe0 --> 0x0
R11: 0x0
R12: 0x7ffff6d08f69 (<_IO_vfprintf_internal+17193>: cmp BYTE PTR [rbp-0x508],0x0)
R13: 0x1000000000000
R14: 0x7ffff78a1879 ("%8ld | 0xff%02x %-5s")
R15: 0x7fffffffd6e0 --> 0x3000000028 ('(')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6d0693a <_IO_vfprintf_internal+7418>: xor eax,eax
0x7ffff6d0693c <_IO_vfprintf_internal+7420>: or rcx,0xffffffffffffffff
0x7ffff6d06940 <_IO_vfprintf_internal+7424>: mov rdi,r13
=> 0x7ffff6d06943 <_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi]
0x7ffff6d06945 <_IO_vfprintf_internal+7429>: mov DWORD PTR [rbp-0x508],0x0
0x7ffff6d0694f <_IO_vfprintf_internal+7439>: mov rsi,rcx
0x7ffff6d06952 <_IO_vfprintf_internal+7442>: not rsi
0x7ffff6d06955 <_IO_vfprintf_internal+7445>: lea r10,[rsi-0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcf50 --> 0x0
0008| 0x7fffffffcf58 --> 0x0
0016| 0x7fffffffcf60 --> 0x0
0024| 0x7fffffffcf68 --> 0x0
0032| 0x7fffffffcf70 --> 0x0
0040| 0x7fffffffcf78 --> 0x0
0048| 0x7fffffffcf80 --> 0x7fffffffd0b0 --> 0xffffffffffffffff
0056| 0x7fffffffcf88 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6d06943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd540, format=, format@entry=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6e0) at vfprintf.c:1661
1661 vfprintf.c: No such file or directory.
gdb-peda$ bt
#0 0x00007ffff6d06943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd540, format=, format@entry=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6e0) at vfprintf.c:1661
#1 0x00007ffff6d2d499 in _IO_vsnprintf (string=0x644b70 " 63 | 0xfffffff", maxlen=, format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", args=0x7fffffffd6e0) at vsnprintf.c:119
#2 0x00007ffff778247d in Exiv2::Internal::stringFormat (format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s") at image.cpp:1013
#3 0x00007ffff77966e9 in Exiv2::JpegBase::printStructure (this=0x644a60, out=..., option=Exiv2::kpsBasic, depth=0x0) at jpgimage.cpp:787
#4 0x000000000041cafe in Action::Print::printStructure (this=0x6447e0, out=..., option=Exiv2::kpsBasic) at actions.cpp:283
#5 0x000000000041c87b in Action::Print::run (this=0x6447e0, path="/data/xqx/projects/docker-fuzz/testcases/pics/exiv2/1-poc.jpg") at actions.cpp:246
#6 0x000000000040e337 in main (argc=0x3, argv=0x7fffffffe4b8) at exiv2.cpp:166
#7 0x00007ffff6cdcf45 in __libc_start_main (main=0x40e07e <main(int, char* const*)>, argc=0x3, argv=0x7fffffffe4b8, init=, fini=, rtld_fini=, stack_end=0x7fffffffe4a8) at libc-start.c:287
#8 0x000000000040dfb9 in _start ()

=========================================
the bug trigger commandline is : ./bin/.libs/lt-exiv2 -pS $POC
please ref the following url for the poc:
https://github.com/xiaoqx/pocs/blob/master/exiv2/1-string-format.jpg

[D4N]

Thank you very much for the report! I have a identified the issue, it is an out of bounds read and not a string format vulnerability. It can be fixed with the following patch:

diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
index 7b343a5c..d442bd71 100644
--- a/src/jpgimage.cpp
+++ b/src/jpgimage.cpp
@@ -556,9 +556,10 @@ namespace Exiv2 {
         }
     } // JpegBase::readMetadata

-#define REPORT_MARKER if ( (option == kpsBasic||option == kpsRecursive) ) \
-     out << Internal::stringFormat("%8ld | 0xff%02x %-5s", \
-                             io_->tell()-2,marker,nm[marker].c_str())
+#define REPORT_MARKER                                                                                          \
+    if ((option == kpsBasic || option == kpsRecursive)) {                                                      \
+        out << Internal::stringFormat("%8ld | 0xff%02x %-5s", io_->tell() - 2, marker, nm.at(marker).c_str()); \
+    }

     void JpegBase::printStructure(std::ostream& out, PrintStructureOption option,int depth)
     {
@@ -575,7 +576,7 @@ namespace Exiv2 {
         if ( bPrint || option == kpsXMP || option == kpsIccProfile || option == kpsIptcErase ) {

             // nmonic for markers
-            std::string nm[256] ;
+           std::vector<std::string> nm(256) ;
             nm[0xd8]="SOI"  ;
             nm[0xd9]="EOI"  ;
             nm[0xda]="SOS"  ;

I'll submit a fix for that, once I'll have more time.

[piponazo]

This was also fixed with #256