New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack overflow due to excessive stack consumption (Recursive function) #460
Comments
|
Confirmed in 37b8725 and also reproduced with exiv2json. |
|
Thanks for reporting this @SegfaultMasters And thank you to @fgeek for confirming this. I have a patch (discussion below) and would like to ask @D4N to review and comment. I believe this is a fuzzed CRW file. I don't know the specification for the CRW format, however it's a "kind of" tiff with directories and data. The code locates the directory and tests for sanity. However, the length of the directory is impossible (count == 17736). The whole buffer is 242 bytes, which has to include count*12 bytes for the directory. I wondered if the test should include the size of the header, however this causes test/preview-test.sh to fail.
When I build with -DDEBUG, I get: |
|
I've had another look at this. Several observations (and a new patch):
|
A stack overflow exits in
CiffDirectory::readDirectory()atcrwimage_int.cppdue to a recursive function call causing the excessive stack consumption which leads to Denial of service.Affected version:
exiv2 0.27.0.0 (64 bit build)
Command:
./exiv2 -pi $POC
Debugging
ASAN Output
Reproducer file
The text was updated successfully, but these errors were encountered: