Skip to content

CVE-2018-11531: heap buffer overflow in preview.cpp #283

Closed
@fgeek

Description

@fgeek
<snip>
Error: Offset of directory PanasonicRaw, entry 0x0148 is out of bounds: Offset = 0x00000000; truncating the entry
=================================================================
==12668==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000dfeb at pc 0x7f8e53eb8d7b bp 0x7ffc8f1625b0 sp 0x7ffc8f161d60
WRITE of size 151 at 0x61300000dfeb thread T0
    #0 0x7f8e53eb8d7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
    #1 0x7f8e53089ce3 in getData /home/afl/src/exiv2/src/preview.cpp:811
    #2 0x7f8e5307a65b in Exiv2::PreviewManager::getPreviewProperties() const /home/afl/src/exiv2/src/preview.cpp:1143
    #3 0x7f8e53104dac in Exiv2::Rw2Image::readMetadata() /home/afl/src/exiv2/src/rw2image.cpp:141
    #4 0x55da4bd2e156 in Action::Print::printSummary() /home/afl/src/exiv2/src/actions.cpp:296
    #5 0x55da4bd32267 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/afl/src/exiv2/src/actions.cpp:242
    #6 0x55da4bcc927b in main /home/afl/src/exiv2/src/exiv2.cpp:166
    #7 0x7f8e51f502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x55da4bcca019 in _start (/home/afl/builds/exiv2/c80b1b9d51689692bc865f1a1d16bf7fd2a532c4/bin/exiv2+0x13019)

0x61300000dfeb is located 0 bytes to the right of 363-byte region [0x61300000de80,0x61300000dfeb)
allocated by thread T0 here:
    #0 0x7f8e53f1ed70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x7f8e53089a36 in Exiv2::DataBuf::DataBuf(long) ../include/exiv2/types.hpp:206
    #2 0x7f8e53089a36 in getData /home/afl/src/exiv2/src/preview.cpp:805
    #3 0x7f8e5307a65b in Exiv2::PreviewManager::getPreviewProperties() const /home/afl/src/exiv2/src/preview.cpp:1143
    #4 0x7f8e53104dac in Exiv2::Rw2Image::readMetadata() /home/afl/src/exiv2/src/rw2image.cpp:141
    #5 0x55da4bd2e156 in Action::Print::printSummary() /home/afl/src/exiv2/src/actions.cpp:296
    #6 0x55da4bd32267 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/afl/src/exiv2/src/actions.cpp:242
    #7 0x55da4bcc927b in main /home/afl/src/exiv2/src/exiv2.cpp:166
    #8 0x7f8e51f502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
Shadow bytes around the buggy address:
  0x0c267fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12668==ABORTING

Reproducer: exiv2-heap-buffer-overflow-getdata
SHA1: 6c5cfef92f3213cff13e8ddfc737139f686b3370
Tools: afl 2.52b, afl-utils

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions