Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two out of bound read when read tiff file #254

Closed
xiaoqx opened this issue Mar 29, 2018 · 4 comments
Closed

Two out of bound read when read tiff file #254

xiaoqx opened this issue Mar 29, 2018 · 4 comments
Milestone

Comments

@xiaoqx
Copy link

xiaoqx commented Mar 29, 2018

out of bound read in function Exiv2::Internal::binaryToString and Exiv2::IptcData::printStructure,
the result info with valgrind as follows:
the first one :

==29031== Memcheck, a memory error detector
==29031== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29031== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==29031== Command: ./installed/bin/exiv2 crashes-2018-03-27-15-54/exiv2000id000007,sig:11,src:000947,op:havoc,rep:4
==29031==
==29031== Invalid read of size 1
==29031== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29031== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031== Address 0x68b5ba2 is 0 bytes after a block of size 2 alloc'd
==29031== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29031== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031==
==29031==
==29031== Process terminating with default action of signal 11 (SIGSEGV)
==29031== Access not within mapped region at address 0x6C9B000
==29031== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29031== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031== If you believe this happened as a result of a stack
==29031== overflow in your program's main thread (unlikely but
==29031== possible), you can try to increase the size of the
==29031== main thread stack using the --main-stacksize= flag.
==29031== The main thread stack size used in this run was 8388608.
==29031==
==29031== HEAP SUMMARY:
==29031== in use at exit: 33,395 bytes in 697 blocks
==29031== total heap usage: 920 allocs, 223 frees, 46,386 bytes allocated
==29031==
==29031== LEAK SUMMARY:
==29031== definitely lost: 0 bytes in 0 blocks
==29031== indirectly lost: 0 bytes in 0 blocks
==29031== possibly lost: 14,018 bytes in 348 blocks
==29031== still reachable: 19,377 bytes in 349 blocks
==29031== suppressed: 0 bytes in 0 blocks
==29031== Rerun with --leak-check=full to see details of leaked memory
==29031==
==29031== For counts of detected and suppressed errors, rerun with: -v
==29031== ERROR SUMMARY: 4084831 errors from 1 contexts (suppressed: 0 from 0)

===============

the second one:

==29386== Memcheck, a memory error detector
==29386== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29386== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==29386== Command: ./installed/bin/exiv2 crashes-2018-03-27-15-54/exiv2000id000020,sig:11,src:001299+000137,op:splice,rep:2
==29386==
==29386== Invalid read of size 1
==29386== at 0x5233FE8: Exiv2::Internal::binaryToString(unsigned char const*, unsigned long, unsigned long) (image.cpp:1031)
==29386== by 0x523B43C: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:364)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b55b5 is 0 bytes after a block of size 21 alloc'd
==29386== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386== Invalid read of size 1
==29386== at 0x523B4B9: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:357)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b56b8 is 88 bytes inside a block of size 537 free'd
==29386== at 0x4C2C2BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5703540: std::basic_ostringstream<char, std::char_traits, std::allocator >::~basic_ostringstream() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19)
==29386== by 0x520D7BB: Exiv2::IptcDataSets::dataSetName(unsigned short, unsigned short) (datasets.cpp:494)
==29386== by 0x523B399: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:362)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386== Invalid read of size 1
==29386== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b6382 is 0 bytes after a block of size 2 alloc'd
==29386== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386==
==29386== Process terminating with default action of signal 11 (SIGSEGV)
==29386== Access not within mapped region at address 0x6C9B000
==29386== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== If you believe this happened as a result of a stack
==29386== overflow in your program's main thread (unlikely but
==29386== possible), you can try to increase the size of the
==29386== main thread stack using the --main-stacksize= flag.
==29386== The main thread stack size used in this run was 8388608.
==29386==
==29386== HEAP SUMMARY:
==29386== in use at exit: 33,451 bytes in 698 blocks
==29386== total heap usage: 929 allocs, 231 frees, 47,782 bytes allocated
==29386==
==29386== LEAK SUMMARY:
==29386== definitely lost: 0 bytes in 0 blocks
==29386== indirectly lost: 0 bytes in 0 blocks
==29386== possibly lost: 14,026 bytes in 348 blocks
==29386== still reachable: 19,425 bytes in 350 blocks
==29386== suppressed: 0 bytes in 0 blocks
==29386== Rerun with --leak-check=full to see details of leaked memory
==29386==
==29386== For counts of detected and suppressed errors, rerun with: -v
==29386== ERROR SUMMARY: 4082854 errors from 3 contexts (suppressed: 0 from 0)

=================

the pocs please refer to :
https://github.com/xiaoqx/pocs/blob/master/exiv2/5-printStructure-outbound-read-1
https://github.com/xiaoqx/pocs/blob/master/exiv2/6-binaryToString-outbound-read-1

@clanmills
Copy link
Collaborator

Thanks for reporting this. PR#180 removes printStructure() from the readMetadata() and will fix this.

@ret2libc
Copy link

The first out-of-bound read has been given CVE-2018-9146. How is that different from CVE-2017-17724? It seems to me it is actually the same bug as #210 .

@ret2libc
Copy link

CVE-2018-9146 has been rejected by MITRE as a duplicate of CVE-2017-17724.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9146

@fgeek
Copy link

fgeek commented May 19, 2018

This can be closed.

@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants