out of bound read in function std::memcpy (tmp, buf, len) in exiv2/include/exiv2/value.hpp:1758 #366
Assignees
Milestone
Comments
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Jun 11, 2018
Several checks for extracted values performed no overflow checks on the addition. They can be tricked into passing, albeit the individual summands are too large. => use Safe::add() which now aborts when an overflow occurs This fixes Exiv2#366
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Jun 11, 2018
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Jun 11, 2018
Several checks for extracted values performed no overflow checks on the addition. They can be tricked into passing, albeit the individual summands are too large. => use Safe::add() which now aborts when an overflow occurs This fixes Exiv2#366
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Jun 11, 2018
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Jun 11, 2018
D4N
added a commit
that referenced
this issue
Jun 11, 2018
vcunat
pushed a commit
to vcunat/exiv2
that referenced
this issue
Aug 5, 2018
(cherry picked from commit b517f2e)
vcunat
pushed a commit
to vcunat/exiv2
that referenced
this issue
Aug 5, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
root@7add4d80d305:/src/exiv2/bin# ./exiv2 -ep 2-out-of-read-Poc
Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored.
Segmentation fault (core dumped)
root@7add4d80d305:/src/exiv2/bin# gdb -q exiv2 /tmp/core.1528716079.exiv2.2083
Reading symbols from exiv2...done.
[New LWP 2083]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./exiv2 -ep 2-out-of-read-Poc'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:90
90 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
gdb-peda$ bt
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:90
#1 0x00007fe64612af64 in Exiv2::ValueType::setDataArea (this=0x1e17c00, buf=0x7fe7467c3ff7 <error: Cannot access memory at address 0x7fe7467c3ff7>, len=0x59)
at /src/exiv2/include/exiv2/value.hpp:1758
#2 0x00007fe64615e0c1 in (anonymous namespace)::LoaderTiff::getData (this=0x1e17750) at /src/exiv2/src/preview.cpp:803
#3 0x00007fe64616091a in Exiv2::PreviewManager::getPreviewProperties (this=0x7ffc57e9c570) at /src/exiv2/src/preview.cpp:1146
#4 0x0000000000437f80 in Action::Extract::writePreviews (this=0x1e0ec00) at /src/exiv2/src/actions.cpp:1146
#5 0x00000000004371b6 in Action::Extract::run (this=0x1e0ec00, path="2-out-of-read-Poc") at /src/exiv2/src/actions.cpp:1062
#6 0x00000000004217cd in main (argc=0x3, argv=0x7ffc57e9c928) at /src/exiv2/src/exiv2.cpp:166
#7 0x00007fe645602830 in __libc_start_main (main=0x421506 <main(int, char* const*)>, argc=0x3, argv=0x7ffc57e9c928, init=, fini=, rtld_fini=,
stack_end=0x7ffc57e9c918) at ../csu/libc-start.c:291
#8 0x0000000000421439 in _start ()
Poc: https://github.com/TeamSeri0us/pocs/blob/master/exiv2/2-out-of-read-Poc
The text was updated successfully, but these errors were encountered: