Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow on Exiv2::Internal::PngChunk::parseTXTChunk #306

Closed
legend-issue opened this issue May 10, 2018 · 5 comments

Comments

Projects
None yet
4 participants
@legend-issue
Copy link

commented May 10, 2018

=================================================================
==30669==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f710 at pc 0x7fa47d77b20b bp 0x7ffd844044b0 sp 0x7ffd84403c58
READ of size 1137 at 0x61a00001f710 thread T0
    #0 0x7fa47d77b20a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
    #1 0x7fa47d3ce8bf in Exiv2::Internal::PngChunk::parseTXTChunk(Exiv2::DataBuf const&, int, Exiv2::Internal::PngChunk::TxtChunkType) (/home/aflgo/song/exiv2/src/.libs/libexiv2.so.26+0x19a8bf)
    #2 0x7fa47d3ced0a in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) (/home/aflgo/song/exiv2/src/.libs/libexiv2.so.26+0x19ad0a)
    #3 0x7fa47d3cb061 in Exiv2::PngImage::readMetadata() (/home/aflgo/song/exiv2/src/.libs/libexiv2.so.26+0x197061)
    #4 0x419978 in Action::Extract::writeThumbnail() const (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x419978)
    #5 0x422327 in Action::Extract::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x422327)
    #6 0x406dbd in main (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x406dbd)
    #7 0x7fa47c8f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x407098 in _start (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x407098)

0x61a00001f710 is located 0 bytes to the right of 1168-byte region [0x61a00001f280,0x61a00001f710)
allocated by thread T0 here:
    #0 0x7fa47d7a46b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x7fa47d3cae67 in Exiv2::PngImage::readMetadata() (/home/aflgo/song/exiv2/src/.libs/libexiv2.so.26+0x196e67)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==30669==ABORTING

command: exiv2 -et [poc]
https://github.com/legend-issue/pocs/blob/master/exiv2/id:000004%2Csig:06%2Csrc:000036%2Cop:havoc%2Crep:128

@fgeek

This comment has been minimized.

Copy link
Collaborator

commented May 15, 2018

Probably duplicate of #302.

@fgeek

This comment has been minimized.

Copy link
Collaborator

commented May 15, 2018

CVE-2018-10999 has been assigned for this issue (not requested by me).

@piponazo

This comment has been minimized.

Copy link
Collaborator

commented May 19, 2018

I could reproduce the issue with the Address sanitizer. I will investigate the issue and try to fix it.

@piponazo piponazo self-assigned this May 19, 2018

@fgeek

This comment has been minimized.

Copy link
Collaborator

commented May 19, 2018

Great :) 👍

piponazo added a commit to piponazo/exiv2 that referenced this issue May 20, 2018

@piponazo piponazo referenced this issue May 20, 2018

Merged

Fix issue #306 #316

piponazo added a commit to piponazo/exiv2 that referenced this issue May 23, 2018

piponazo added a commit to piponazo/exiv2 that referenced this issue May 23, 2018

piponazo added a commit that referenced this issue May 23, 2018

@piponazo

This comment has been minimized.

Copy link
Collaborator

commented May 23, 2018

The bug should be fixed now. Thanks for the report.

@piponazo piponazo closed this May 23, 2018

@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.