-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-19535: AddressSanitizer: heap-buffer-overflow at pngchunk_int.cpp:635 #428
Comments
A relevant heap-buffer-overflow at pngchunk_int.cpp:645: |
Thanks @hongxuchen for reporting. I confirm that I could reproduce the issue and I will take a look to this issue |
I will double check again. I do not know much about that piece of code and it is also difficult to find some specification to determine how a "good implementation" should look like. |
@hongxuchen I could fix the issues detected with the 2 other POCs reported initially (line 645). However I do not understand yet enough about the PNG specification to fix the rest of issues detected. I have the feeling that for fixing all the issues in this function we will need much more time to understand the PNG specification, and also to rewrite such method. I do not think I can address all these changes for the v0.27 RC1. Therefore I propose to merge the fixes done in #430, which will solve have of the issues, and leave this issue open as a remanding for the rest of issues you detected. |
Thanks for looking into this @piponazo I've assigned myself to this, although I agree with you that we are unlikely to resolved this for v0.27 RC1. |
I have a working knowledge of the PNG Specification. Tuan added this page about it to our Wiki in 2013: http://dev.exiv2.org/projects/exiv2/wiki/The_Metadata_in_PNG_files I have reproduced this and will work on this later today (it's currently Tuesday 2018-09-04 13:19BST) Here's what I can see:
Here are the POC files:
When I execute exiv2, I get:
|
@clanmills managed to solve the problems triggered by all the POCs, and I adapted the tests in #430 to have regression tests for all these cases. Thanks @hongxuchen for reporting this. |
This issue was assigned CVE-2018-19535 |
When running
exiv2 $FILE
(5940c6f) against png files, , ASAN reports a heap-buffer-overflow error.POCs:
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_pngchunk_int.cpp:635_1.png
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_pngchunk_int.cpp:635_2.png
ASAN output:
The text was updated successfully, but these errors were encountered: