out of bound read in function Exiv2::Internal::binaryToString and Exiv2::IptcData::printStructure,
the result info with valgrind as follows:
the first one :
==29031== Memcheck, a memory error detector
==29031== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29031== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==29031== Command: ./installed/bin/exiv2 crashes-2018-03-27-15-54/exiv2000id000007,sig:11,src:000947,op:havoc,rep:4
==29031==
==29031== Invalid read of size 1
==29031== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29031== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031== Address 0x68b5ba2 is 0 bytes after a block of size 2 alloc'd
==29031== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29031== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031==
==29031==
==29031== Process terminating with default action of signal 11 (SIGSEGV)
==29031== Access not within mapped region at address 0x6C9B000
==29031== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29031== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031== If you believe this happened as a result of a stack
==29031== overflow in your program's main thread (unlikely but
==29031== possible), you can try to increase the size of the
==29031== main thread stack using the --main-stacksize= flag.
==29031== The main thread stack size used in this run was 8388608.
==29031==
==29031== HEAP SUMMARY:
==29031== in use at exit: 33,395 bytes in 697 blocks
==29031== total heap usage: 920 allocs, 223 frees, 46,386 bytes allocated
==29031==
==29031== LEAK SUMMARY:
==29031== definitely lost: 0 bytes in 0 blocks
==29031== indirectly lost: 0 bytes in 0 blocks
==29031== possibly lost: 14,018 bytes in 348 blocks
==29031== still reachable: 19,377 bytes in 349 blocks
==29031== suppressed: 0 bytes in 0 blocks
==29031== Rerun with --leak-check=full to see details of leaked memory
==29031==
==29031== For counts of detected and suppressed errors, rerun with: -v
==29031== ERROR SUMMARY: 4084831 errors from 1 contexts (suppressed: 0 from 0)
===============
the second one:
==29386== Memcheck, a memory error detector
==29386== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29386== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==29386== Command: ./installed/bin/exiv2 crashes-2018-03-27-15-54/exiv2000id000020,sig:11,src:001299+000137,op:splice,rep:2
==29386==
==29386== Invalid read of size 1
==29386== at 0x5233FE8: Exiv2::Internal::binaryToString(unsigned char const*, unsigned long, unsigned long) (image.cpp:1031)
==29386== by 0x523B43C: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:364)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b55b5 is 0 bytes after a block of size 21 alloc'd
==29386== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386== Invalid read of size 1
==29386== at 0x523B4B9: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:357)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b56b8 is 88 bytes inside a block of size 537 free'd
==29386== at 0x4C2C2BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5703540: std::basic_ostringstream<char, std::char_traits, std::allocator >::~basic_ostringstream() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19)
==29386== by 0x520D7BB: Exiv2::IptcDataSets::dataSetName(unsigned short, unsigned short) (datasets.cpp:494)
==29386== by 0x523B399: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:362)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386== Invalid read of size 1
==29386== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b6382 is 0 bytes after a block of size 2 alloc'd
==29386== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386==
==29386== Process terminating with default action of signal 11 (SIGSEGV)
==29386== Access not within mapped region at address 0x6C9B000
==29386== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== If you believe this happened as a result of a stack
==29386== overflow in your program's main thread (unlikely but
==29386== possible), you can try to increase the size of the
==29386== main thread stack using the --main-stacksize= flag.
==29386== The main thread stack size used in this run was 8388608.
==29386==
==29386== HEAP SUMMARY:
==29386== in use at exit: 33,451 bytes in 698 blocks
==29386== total heap usage: 929 allocs, 231 frees, 47,782 bytes allocated
==29386==
==29386== LEAK SUMMARY:
==29386== definitely lost: 0 bytes in 0 blocks
==29386== indirectly lost: 0 bytes in 0 blocks
==29386== possibly lost: 14,026 bytes in 348 blocks
==29386== still reachable: 19,425 bytes in 350 blocks
==29386== suppressed: 0 bytes in 0 blocks
==29386== Rerun with --leak-check=full to see details of leaked memory
==29386==
==29386== For counts of detected and suppressed errors, rerun with: -v
==29386== ERROR SUMMARY: 4082854 errors from 3 contexts (suppressed: 0 from 0)
The first out-of-bound read has been given CVE-2018-9146. How is that different from CVE-2017-17724? It seems to me it is actually the same bug as #210 .
out of bound read in function Exiv2::Internal::binaryToString and Exiv2::IptcData::printStructure,
the result info with valgrind as follows:
the first one :
==29031== Memcheck, a memory error detector
==29031== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29031== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==29031== Command: ./installed/bin/exiv2 crashes-2018-03-27-15-54/exiv2000id000007,sig:11,src:000947,op:havoc,rep:4
==29031==
==29031== Invalid read of size 1
==29031== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29031== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031== Address 0x68b5ba2 is 0 bytes after a block of size 2 alloc'd
==29031== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29031== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031==
==29031==
==29031== Process terminating with default action of signal 11 (SIGSEGV)
==29031== Access not within mapped region at address 0x6C9B000
==29031== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29031== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29031== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29031== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29031== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29031== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29031== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29031== by 0x40E2B6: main (exiv2.cpp:166)
==29031== If you believe this happened as a result of a stack
==29031== overflow in your program's main thread (unlikely but
==29031== possible), you can try to increase the size of the
==29031== main thread stack using the --main-stacksize= flag.
==29031== The main thread stack size used in this run was 8388608.
==29031==
==29031== HEAP SUMMARY:
==29031== in use at exit: 33,395 bytes in 697 blocks
==29031== total heap usage: 920 allocs, 223 frees, 46,386 bytes allocated
==29031==
==29031== LEAK SUMMARY:
==29031== definitely lost: 0 bytes in 0 blocks
==29031== indirectly lost: 0 bytes in 0 blocks
==29031== possibly lost: 14,018 bytes in 348 blocks
==29031== still reachable: 19,377 bytes in 349 blocks
==29031== suppressed: 0 bytes in 0 blocks
==29031== Rerun with --leak-check=full to see details of leaked memory
==29031==
==29031== For counts of detected and suppressed errors, rerun with: -v
==29031== ERROR SUMMARY: 4084831 errors from 1 contexts (suppressed: 0 from 0)
===============
the second one:
==29386== Memcheck, a memory error detector
==29386== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29386== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==29386== Command: ./installed/bin/exiv2 crashes-2018-03-27-15-54/exiv2000id000020,sig:11,src:001299+000137,op:splice,rep:2
==29386==
==29386== Invalid read of size 1
==29386== at 0x5233FE8: Exiv2::Internal::binaryToString(unsigned char const*, unsigned long, unsigned long) (image.cpp:1031)
==29386== by 0x523B43C: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:364)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b55b5 is 0 bytes after a block of size 21 alloc'd
==29386== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386== Invalid read of size 1
==29386== at 0x523B4B9: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:357)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b56b8 is 88 bytes inside a block of size 537 free'd
==29386== at 0x4C2C2BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5703540: std::basic_ostringstream<char, std::char_traits, std::allocator >::~basic_ostringstream() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19)
==29386== by 0x520D7BB: Exiv2::IptcDataSets::dataSetName(unsigned short, unsigned short) (datasets.cpp:494)
==29386== by 0x523B399: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:362)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386== Invalid read of size 1
==29386== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== Address 0x68b6382 is 0 bytes after a block of size 2 alloc'd
==29386== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29386== by 0x5231653: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:467)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386==
==29386==
==29386== Process terminating with default action of signal 11 (SIGSEGV)
==29386== Access not within mapped region at address 0x6C9B000
==29386== at 0x523B295: Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) (iptc.cpp:354)
==29386== by 0x52316CC: Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) (image.cpp:470)
==29386== by 0x5231E0F: Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) (image.cpp:533)
==29386== by 0x52CB2FA: Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (tiffimage.cpp:344)
==29386== by 0x52CA550: Exiv2::TiffImage::readMetadata() (tiffimage.cpp:187)
==29386== by 0x41CBE8: Action::Print::printSummary() (actions.cpp:296)
==29386== by 0x41C7A6: Action::Print::run(std::string const&) (actions.cpp:242)
==29386== by 0x40E2B6: main (exiv2.cpp:166)
==29386== If you believe this happened as a result of a stack
==29386== overflow in your program's main thread (unlikely but
==29386== possible), you can try to increase the size of the
==29386== main thread stack using the --main-stacksize= flag.
==29386== The main thread stack size used in this run was 8388608.
==29386==
==29386== HEAP SUMMARY:
==29386== in use at exit: 33,451 bytes in 698 blocks
==29386== total heap usage: 929 allocs, 231 frees, 47,782 bytes allocated
==29386==
==29386== LEAK SUMMARY:
==29386== definitely lost: 0 bytes in 0 blocks
==29386== indirectly lost: 0 bytes in 0 blocks
==29386== possibly lost: 14,026 bytes in 348 blocks
==29386== still reachable: 19,425 bytes in 350 blocks
==29386== suppressed: 0 bytes in 0 blocks
==29386== Rerun with --leak-check=full to see details of leaked memory
==29386==
==29386== For counts of detected and suppressed errors, rerun with: -v
==29386== ERROR SUMMARY: 4082854 errors from 3 contexts (suppressed: 0 from 0)
=================
the pocs please refer to :
https://github.com/xiaoqx/pocs/blob/master/exiv2/5-printStructure-outbound-read-1
https://github.com/xiaoqx/pocs/blob/master/exiv2/6-binaryToString-outbound-read-1
The text was updated successfully, but these errors were encountered: