Infinite loop in Exiv2::Image::printIFDStructure function of image.cpp:509

[cool-tomato]

The issue may be similar to the issue #51 , with the POC file provided, The vulue of the start will always be 0xfc0000, so the condition will be true all the time.

./exiv2 -pC poc_infinite_loop or the command ./exiv2 -pR poc_infinite_loop can trigger the situation:

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/fish/Desktop/2018-10-10/exiv2/src/image.cpp+509 ]────
    504	                     out.write((const char*)buf.pData_,count);
    505	                 }
    506	             }
    507	             if ( start ) {
    508	                 io.read(dir.pData_, 4);
 →  509	                 start = tooBig ? 0 : byteSwap4(dir,0,bSwap);
    510	             }
    511	         } while (start) ;
    512	 
    513	         if ( bPrint ) {
    514	             out << Internal::indent(depth) << "END " << io.path() << std::endl;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "exiv2", stopped, reason: BREAKPOINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff7979845 → Name: Exiv2::Image::printIFDStructure(this=0x5555557aecb0, io=@0x5555557afae0, out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, start=0xfc0000, bSwap=0x0, c=0x49, depth=0x0)
[#1] 0x7ffff7979c56 → Name: Exiv2::Image::printTiffStructure(this=0x5555557aecb0, io=@0x5555557afae0, out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, depth=0xffffffff, offset=0x0)
[#2] 0x7ffff79b73bb → Name: Exiv2::TiffImage::printStructure(this=0x5555557aecb0, out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, depth=0x0)
[#3] 0x555555586064 → Name: (anonymous namespace)::printStructure(out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, path="poc_infinite_loop")
[#4] 0x555555575d55 → Name: Action::setModeAndPrintStructure(option=Exiv2::kpsIccProfile, path="poc_infinite_loop")
[#5] 0x555555575ea3 → Name: Action::Print::run(this=0x5555557aff10, path="poc_infinite_loop")
[#6] 0x5555555671ee → Name: main(argc=0x4, argv=0x7fffffffdd58)
[#7] 0x7ffff6ee3b97 → Name: __libc_start_main(main=0x555555566f0a <main(int, char* const*)>, argc=0x4, argv=0x7fffffffdd58, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd48)
[#8] 0x555555566e2a → Name: _start()
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Breakpoint 2, Exiv2::Image::printIFDStructure (this=0x5555557aecb0, io=..., out=..., option=Exiv2::kpsIccProfile, start=0xfc0000, bSwap=0x0, c=0x49, depth=0x0) at /home/fish/Desktop/2018-10-10/exiv2/src/image.cpp:509
509	                start = tooBig ? 0 : byteSwap4(dir,0,bSwap);
gef➤  p start
$4 = 0xfc0000

[clanmills]

This seems to be fixed. I've tried $ exiv2 POC4, $ exiv2 -p{S|R|C|a} POC4. Am I'm looking at the wrong POC file?

554 rmills@rmillsmbp:~/Downloads $ dir
-rw-r--r--@  1 rmills  staff   102B  2 Nov 09:16 POC4.rar
-rw-r--r--@  1 rmills  staff    35B 12 Jul  2017 POC4
556 rmills@rmillsmbp:~/Downloads $ exiv2 ./POC4
Warning: Directory PanasonicRaw has an unexpected next pointer; ignored.
Error: Directory PanasonicRaw, entry 0x002e has invalid size 4294967295*1; skipping entry.
File name       : ./POC4
File size       : 35 Bytes
MIME type       : image/x-panasonic-rw2
Image size      : 0 x 0
./POC4: No Exif data found in the file
557 rmills@rmillsmbp:~/Downloads $ exiv2 -pR ./POC4
RW2 IMAGE
STRUCTURE OF TIFF FILE (II): ./POC4
 address |    tag                              |      type |    count |    offset | value
Exiv2 exception in print action for file ./POC4:
invalid memory allocation request
558 rmills@rmillsmbp:~/Downloads $ exiv2 -pS ./POC4
RW2 IMAGE
STRUCTURE OF TIFF FILE (II): ./POC4
 address |    tag                              |      type |    count |    offset | value
Exiv2 exception in print action for file ./POC4:
invalid memory allocation request
559 rmills@rmillsmbp:~/Downloads $ exiv2 -pa ./POC4
Warning: Directory PanasonicRaw has an unexpected next pointer; ignored.
Error: Directory PanasonicRaw, entry 0x002e has invalid size 4294967295*1; skipping entry.
560 rmills@rmillsmbp:~/Downloads $ 560 rmills@rmillsmbp:~/Downloads $ exiv2 -pC ./POC4
RW2 IMAGE
Exiv2 exception in print action for file ./POC4:
invalid memory allocation request
561 rmills@rmillsmbp:~/Downloads $ 

[cool-tomato]

It should be the poc file in here, not POC4.

[clanmills]

Thanks. I've reproduced this. I'll investigate.

[carnil]

This issue was assigned CVE-2018-18915

[piponazo]

I also could reproduce the issue and I think I have found a solution for it. I will try to bring the fix for v0.27.