CVE-2018-11531: heap buffer overflow in preview.cpp

[fgeek]

<snip>
Error: Offset of directory PanasonicRaw, entry 0x0148 is out of bounds: Offset = 0x00000000; truncating the entry
=================================================================
==12668==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000dfeb at pc 0x7f8e53eb8d7b bp 0x7ffc8f1625b0 sp 0x7ffc8f161d60
WRITE of size 151 at 0x61300000dfeb thread T0
    #0 0x7f8e53eb8d7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
    #1 0x7f8e53089ce3 in getData /home/afl/src/exiv2/src/preview.cpp:811
    #2 0x7f8e5307a65b in Exiv2::PreviewManager::getPreviewProperties() const /home/afl/src/exiv2/src/preview.cpp:1143
    #3 0x7f8e53104dac in Exiv2::Rw2Image::readMetadata() /home/afl/src/exiv2/src/rw2image.cpp:141
    #4 0x55da4bd2e156 in Action::Print::printSummary() /home/afl/src/exiv2/src/actions.cpp:296
    #5 0x55da4bd32267 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/afl/src/exiv2/src/actions.cpp:242
    #6 0x55da4bcc927b in main /home/afl/src/exiv2/src/exiv2.cpp:166
    #7 0x7f8e51f502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x55da4bcca019 in _start (/home/afl/builds/exiv2/c80b1b9d51689692bc865f1a1d16bf7fd2a532c4/bin/exiv2+0x13019)

0x61300000dfeb is located 0 bytes to the right of 363-byte region [0x61300000de80,0x61300000dfeb)
allocated by thread T0 here:
    #0 0x7f8e53f1ed70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x7f8e53089a36 in Exiv2::DataBuf::DataBuf(long) ../include/exiv2/types.hpp:206
    #2 0x7f8e53089a36 in getData /home/afl/src/exiv2/src/preview.cpp:805
    #3 0x7f8e5307a65b in Exiv2::PreviewManager::getPreviewProperties() const /home/afl/src/exiv2/src/preview.cpp:1143
    #4 0x7f8e53104dac in Exiv2::Rw2Image::readMetadata() /home/afl/src/exiv2/src/rw2image.cpp:141
    #5 0x55da4bd2e156 in Action::Print::printSummary() /home/afl/src/exiv2/src/actions.cpp:296
    #6 0x55da4bd32267 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/afl/src/exiv2/src/actions.cpp:242
    #7 0x55da4bcc927b in main /home/afl/src/exiv2/src/exiv2.cpp:166
    #8 0x7f8e51f502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
Shadow bytes around the buggy address:
  0x0c267fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12668==ABORTING

Reproducer:
SHA1: 6c5cfef92f3213cff13e8ddfc737139f686b3370
Tools: afl 2.52b, afl-utils

[piponazo]

This issue should be fixed now @fgeek . Thanks for reporting!

[abergmann]

CVE-2018-11531 was assigned to this issue.

[fgeek]

@piponazo Thank you. I can continue fuzzing after other open bug reports has been closed (printStructure etc).

[piponazo]

That would be ideal! In the next weeks we want to finish porting the test suite from the old bash system to the new python one, and at that moment we will fix the problems with printStructure that is our main source of bugs.

We'll keep you informed ;)