Closed
Description
When running exiv2 $FILE
(5940c6f) against png files, , ASAN reports a heap-buffer-overflow error.
POCs:
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_pngchunk_int.cpp:635_1.png
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_pngchunk_int.cpp:635_2.png
ASAN output:
=================================================================
==32119==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000001bf at pc 0x7fea19eca9aa bp 0x7ffd00c71d70 sp 0x7ffd00c71d68
READ of size 1 at 0x6070000001bf thread T0
#0 0x7fea19eca9a9 in Exiv2::Internal::PngChunk::readRawProfile(Exiv2::DataBuf const&, bool) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:635:16
#1 0x7fea19ec7228 in Exiv2::Internal::PngChunk::parseChunkContent(Exiv2::Image*, unsigned char const*, long, Exiv2::DataBuf) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:258:32
#2 0x7fea19ec4f6f in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:91:9
#3 0x7fea19d74647 in Exiv2::PngImage::readMetadata() /home/hongxu/FOT/exiv2/src/pngimage.cpp:495:21
#4 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
#5 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
#6 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
#7 0x7fea18220b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x435ac9 in _start (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x435ac9)
0x6070000001bf is located 0 bytes to the right of 79-byte region [0x607000000170,0x6070000001bf)
allocated by thread T0 here:
#0 0x52e0f0 in operator new[](unsigned long) (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x52e0f0)
#1 0x7fea19ce7af9 in Exiv2::DataBuf::DataBuf(unsigned char const*, long) /home/hongxu/FOT/exiv2/src/types.cpp:138:22
#2 0x7fea19ec6831 in Exiv2::Internal::PngChunk::parseTXTChunk(Exiv2::DataBuf const&, int, Exiv2::Internal::PngChunk::TxtChunkType) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:216:27
#3 0x7fea19ec4dcc in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:85:23
#4 0x7fea19d74647 in Exiv2::PngImage::readMetadata() /home/hongxu/FOT/exiv2/src/pngimage.cpp:495:21
#5 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
#6 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
#7 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
#8 0x7fea18220b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:635:16 in Exiv2::Internal::PngChunk::readRawProfile(Exiv2::DataBuf const&, bool)
Shadow bytes around the buggy address:
0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
0x0c0e7fff8010: fa fa 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
=>0x0c0e7fff8030: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32119==ABORTING