Invalid memory address dereference in Exiv2::getULong(types.cpp:246) #73
Milestone
Comments
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Oct 7, 2017
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Oct 11, 2017
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Oct 15, 2017
|
For the record, this is known as CVE-2017-14864. |
dirkmueller
pushed a commit
to dirkmueller/exiv2
that referenced
this issue
Jan 7, 2018
(cherry picked from commit 1b01704)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm forwarding a security vulnerability reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1494467
The file used to reproduce the issue is here:
https://bugzilla.redhat.com/attachment.cgi?id=1329503
Here's a copy of the report:
Liu Zhu 2017-09-22 06:19:01 EDT
Created attachment 1329503 [details]
PoC File
./exiv2 02-Invalid-mem-def
ASAN:SIGSEGV
==27020==ERROR: AddressSanitizer: SEGV on unknown address 0x62a100000405 (pc 0x7f827e6cc4af bp 0x7ffdbe4d55b0 sp 0x7ffdbe4d55a0 T0)
#0 0x7f827e6cc4ae in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /root/fuzzing/exiv2-trunk/src/types.cpp:246
#1 0x7f827e6cc6cb in Exiv2::getURational(unsigned char const*, Exiv2::ByteOrder) /root/fuzzing/exiv2-trunk/src/types.cpp:257
#2 0x7f827e57323c in std::pair<unsigned int, unsigned int> Exiv2::getValue<std::pair<unsigned int, unsigned int> >(unsigned char const*, Exiv2::ByteOrder) (/usr/local/exiv2_ASAN/lib/libexiv2.so.26+0x31523c)
#3 0x7f827e580b4e in Exiv2::ValueType<std::pair<unsigned int, unsigned int> >::read(unsigned char const*, long, Exiv2::ByteOrder) /root/fuzzing/exiv2-trunk/include/exiv2/value.hpp:1586
#4 0x7f827e6c2d08 in Exiv2::Internal::TiffReader::readTiffEntry(Exiv2::Internal::TiffEntryBase*) /root/fuzzing/exiv2-trunk/src/tiffvisitor.cpp:1541
#5 0x7f827e6bf4be in Exiv2::Internal::TiffReader::visitEntry(Exiv2::Internal::TiffEntry*) /root/fuzzing/exiv2-trunk/src/tiffvisitor.cpp:1204
#6 0x7f827e68d97c in Exiv2::Internal::TiffEntry::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:896
#7 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#8 0x7f827e68dcc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
#9 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#10 0x7f827e68e351 in Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:949
#11 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#12 0x7f827e68e1bf in Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:938
#13 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#14 0x7f827e68dcc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
#15 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#16 0x7f827e68e07e in Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:931
#17 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#18 0x7f827e68dcc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
#19 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#20 0x7f827e6a6451 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:2011
#21 0x7f827e6a5267 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::()(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:1900
#22 0x7f827e6a3a82 in Exiv2::TiffParser::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:266
#23 0x7f827e5a043e in Exiv2::ExifParser::decode(Exiv2::ExifData&, unsigned char const*, unsigned int) /root/fuzzing/exiv2-trunk/src/exif.cpp:629
#24 0x7f827e5e0030 in Exiv2::JpegBase::readMetadata() /root/fuzzing/exiv2-trunk/src/jpgimage.cpp:386
#25 0x43ab02 in Action::Print::printSummary() /root/fuzzing/exiv2-trunk/src/actions.cpp:289
#26 0x43a1af in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /root/fuzzing/exiv2-trunk/src/actions.cpp:244
#27 0x422129 in main /root/fuzzing/exiv2-trunk/src/exiv2.cpp:170
#28 0x7f827d91c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#29 0x421af8 in _start (/usr/local/exiv2_ASAN/bin/exiv2+0x421af8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzzing/exiv2-trunk/src/types.cpp:246 Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
==27020==ABORTING
[reply] [−] Comment 2 Liu Zhu 2017-09-23 01:14:58 EDT
./exiv2 -V
exiv2 0.26 001a00 (64 bit build)
Copyright (C) 2004-2017 Andreas Huggel.
The text was updated successfully, but these errors were encountered: