New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infinite loop in Exiv2::Image::printIFDStructure function of image.cpp:509 #511

Closed
cool-tomato opened this Issue Nov 2, 2018 · 5 comments

Comments

Projects
4 participants
@cool-tomato

cool-tomato commented Nov 2, 2018

The issue may be similar to the issue #51 , with the POC file provided, The vulue of the start will always be 0xfc0000, so the condition will be true all the time.

./exiv2 -pC poc_infinite_loop or the command ./exiv2 -pR poc_infinite_loop can trigger the situation:

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/fish/Desktop/2018-10-10/exiv2/src/image.cpp+509 ]────
    504	                     out.write((const char*)buf.pData_,count);
    505	                 }
    506	             }
    507	             if ( start ) {
    508	                 io.read(dir.pData_, 4);
 →  509	                 start = tooBig ? 0 : byteSwap4(dir,0,bSwap);
    510	             }
    511	         } while (start) ;
    512	 
    513	         if ( bPrint ) {
    514	             out << Internal::indent(depth) << "END " << io.path() << std::endl;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "exiv2", stopped, reason: BREAKPOINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff7979845 → Name: Exiv2::Image::printIFDStructure(this=0x5555557aecb0, io=@0x5555557afae0, out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, start=0xfc0000, bSwap=0x0, c=0x49, depth=0x0)
[#1] 0x7ffff7979c56 → Name: Exiv2::Image::printTiffStructure(this=0x5555557aecb0, io=@0x5555557afae0, out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, depth=0xffffffff, offset=0x0)
[#2] 0x7ffff79b73bb → Name: Exiv2::TiffImage::printStructure(this=0x5555557aecb0, out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, depth=0x0)
[#3] 0x555555586064 → Name: (anonymous namespace)::printStructure(out=@0x7ffff7850e40, option=Exiv2::kpsIccProfile, path="poc_infinite_loop")
[#4] 0x555555575d55 → Name: Action::setModeAndPrintStructure(option=Exiv2::kpsIccProfile, path="poc_infinite_loop")
[#5] 0x555555575ea3 → Name: Action::Print::run(this=0x5555557aff10, path="poc_infinite_loop")
[#6] 0x5555555671ee → Name: main(argc=0x4, argv=0x7fffffffdd58)
[#7] 0x7ffff6ee3b97 → Name: __libc_start_main(main=0x555555566f0a <main(int, char* const*)>, argc=0x4, argv=0x7fffffffdd58, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd48)
[#8] 0x555555566e2a → Name: _start()
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Breakpoint 2, Exiv2::Image::printIFDStructure (this=0x5555557aecb0, io=..., out=..., option=Exiv2::kpsIccProfile, start=0xfc0000, bSwap=0x0, c=0x49, depth=0x0) at /home/fish/Desktop/2018-10-10/exiv2/src/image.cpp:509
509	                start = tooBig ? 0 : byteSwap4(dir,0,bSwap);
gef➤  p start
$4 = 0xfc0000


@clanmills

This comment has been minimized.

Collaborator

clanmills commented Nov 2, 2018

This seems to be fixed. I've tried $ exiv2 POC4, $ exiv2 -p{S|R|C|a} POC4. Am I'm looking at the wrong POC file?

554 rmills@rmillsmbp:~/Downloads $ dir
-rw-r--r--@  1 rmills  staff   102B  2 Nov 09:16 POC4.rar
-rw-r--r--@  1 rmills  staff    35B 12 Jul  2017 POC4
556 rmills@rmillsmbp:~/Downloads $ exiv2 ./POC4
Warning: Directory PanasonicRaw has an unexpected next pointer; ignored.
Error: Directory PanasonicRaw, entry 0x002e has invalid size 4294967295*1; skipping entry.
File name       : ./POC4
File size       : 35 Bytes
MIME type       : image/x-panasonic-rw2
Image size      : 0 x 0
./POC4: No Exif data found in the file
557 rmills@rmillsmbp:~/Downloads $ exiv2 -pR ./POC4
RW2 IMAGE
STRUCTURE OF TIFF FILE (II): ./POC4
 address |    tag                              |      type |    count |    offset | value
Exiv2 exception in print action for file ./POC4:
invalid memory allocation request
558 rmills@rmillsmbp:~/Downloads $ exiv2 -pS ./POC4
RW2 IMAGE
STRUCTURE OF TIFF FILE (II): ./POC4
 address |    tag                              |      type |    count |    offset | value
Exiv2 exception in print action for file ./POC4:
invalid memory allocation request
559 rmills@rmillsmbp:~/Downloads $ exiv2 -pa ./POC4
Warning: Directory PanasonicRaw has an unexpected next pointer; ignored.
Error: Directory PanasonicRaw, entry 0x002e has invalid size 4294967295*1; skipping entry.
560 rmills@rmillsmbp:~/Downloads $ 560 rmills@rmillsmbp:~/Downloads $ exiv2 -pC ./POC4
RW2 IMAGE
Exiv2 exception in print action for file ./POC4:
invalid memory allocation request
561 rmills@rmillsmbp:~/Downloads $ 
@cool-tomato

This comment has been minimized.

cool-tomato commented Nov 2, 2018

It should be the poc file in here, not POC4.

@clanmills

This comment has been minimized.

Collaborator

clanmills commented Nov 2, 2018

Thanks. I've reproduced this. I'll investigate.

@carnil

This comment has been minimized.

carnil commented Nov 3, 2018

This issue was assigned CVE-2018-18915

@piponazo piponazo self-assigned this Nov 4, 2018

@piponazo piponazo added the bug label Nov 4, 2018

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Nov 4, 2018

I also could reproduce the issue and I think I have found a solution for it. I will try to bring the fix for v0.27.

piponazo added a commit to piponazo/exiv2 that referenced this issue Nov 4, 2018

piponazo added a commit to piponazo/exiv2 that referenced this issue Nov 5, 2018

piponazo added a commit to piponazo/exiv2 that referenced this issue Nov 6, 2018

piponazo added a commit to piponazo/exiv2 that referenced this issue Nov 6, 2018

piponazo added a commit to piponazo/exiv2 that referenced this issue Nov 6, 2018

@piponazo piponazo added this to Done in v0.27 Nov 6, 2018

piponazo added a commit that referenced this issue Nov 6, 2018

@piponazo piponazo closed this Nov 6, 2018

@clanmills clanmills added this to the v0.27 milestone Nov 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment