./bin/exiv2 ../../poc6-ul2Data
=================================================================
==29742==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000cf59 at pc 0x7f79f092888f bp 0x7ffe74e0c920 sp 0x7ffe74e0c910
WRITE of size 1 at 0x60300000cf59 thread T0
#0 0x7f79f092888e in Exiv2::ul2Data(unsigned char*, unsigned int, Exiv2::ByteOrder) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/types.cpp:383
#1 0x7f79f0928988 in Exiv2::ur2Data(unsigned char*, std::pair<unsigned int, unsigned int>, Exiv2::ByteOrder) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/types.cpp:392
#2 0x7f79f0888ca5 in long Exiv2::toData<std::pair<unsigned int, unsigned int> >(unsigned char*, std::pair<unsigned int, unsigned int>, Exiv2::ByteOrder) (/home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/build_asan/lib/libexiv2.so.0+0x33bca5)
#3 0x7f79f0899a90 in Exiv2::ValueType<std::pair<unsigned int, unsigned int> >::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/include/exiv2/value.hpp:1611
#4 0x7f79f0882e58 in Exiv2::Exifdatum::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/exif.cpp:357
#5 0x7f79f0924083 in Exiv2::TiffImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/tiffimage.cpp:199
#6 0x43a413 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:287
#7 0x439c8b in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:247
#8 0x4222d7 in main /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/exiv2.cpp:167
#9 0x7f79efc0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x421ce8 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/build_asan/bin/exiv2+0x421ce8)
0x60300000cf59 is located 0 bytes to the right of 25-byte region [0x60300000cf40,0x60300000cf59)
allocated by thread T0 here:
#0 0x7f79f10686b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7f79f092651f in Exiv2::DataBuf::alloc(long) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/types.cpp:156
#2 0x7f79f0923fe6 in Exiv2::TiffImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/tiffimage.cpp:198
#3 0x43a413 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:287
#4 0x439c8b in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:247
#5 0x4222d7 in main /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/exiv2.cpp:167
#6 0x7f79efc0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/types.cpp:383 Exiv2::ul2Data(unsigned char*, unsigned int, Exiv2::ByteOrder)
Shadow bytes around the buggy address:
0x0c067fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff99d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff99e0: fa fa fa fa fa fa fa fa 00 00 00[01]fa fa fd fd
0x0c067fff99f0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x0c067fff9a00: 00 00 00 07 fa fa fd fd fd fd fa fa fd fd fd fa
0x0c067fff9a10: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
0x0c067fff9a20: 00 05 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff9a30: fd fd fd fd fa fa fd fd fd fa fa fa 00 00 07 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==29742==ABORTING
Marsman1996
changed the title
AddressSanitizer: heap-buffer-overflow in Exiv2::ul2Data
CVE-2018-17230: AddressSanitizer: heap-buffer-overflow in Exiv2::ul2Data
Sep 21, 2018
Similarly to #453, the issue seems adressed with afb98cb ("Allocate correct amount of memory for the ICC profile") and not present in the v0.26 tagged version.
Tested in Ubuntu 16.04, 64bit, Exiv2(master b6a8d39)
$ exiv2 $POChttps://github.com/Marsman1996/pocs/blob/master/exiv2/CVE-2018-17230/poc6-ul2Data
Addition: This bug was found with mem-AFL, which is based on AFL. Mem-AFL is developed by Yanhao(unfuzzable123@gmail.com) & Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered: