-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid memory address dereference in Exiv2::StringValueBase::read ( in value.cpp:302) #74
Milestone
Comments
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Oct 7, 2017
D4N
added a commit
to D4N/exiv2
that referenced
this issue
Oct 11, 2017
Fixed by #110 |
FTR this is known as CVE-2017-14859. |
dirkmueller
pushed a commit
to dirkmueller/exiv2
that referenced
this issue
Jan 7, 2018
(cherry picked from commit 1b01704)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm forwarding a security vulnerability reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1494780
The file used to reproduce the issue is here:
https://bugzilla.redhat.com/attachment.cgi?id=1329794
Here's a copy of the report:
Liu Zhu 2017-09-22 22:04:33 EDT
Created attachment 1329794 [details]
PoC File
./exiv2 005-invalid-mem
Warning: Directory Image, entry 0x011a has unknown Exif (TIFF) type 64772; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x011b is out of bounds: Offset = 0x00000030, size = 1073741832, exceeds buffer size by 1073734073 Bytes; truncating the entry
Error: Upper boundary of data for directory Photo, entry 0x9003 is out of bounds: Offset = 0x000001f8, size = 3538992, exceeds buffer size by 3531689 Bytes; truncating the entry
Warning: Directory Nikon3 has an unexpected next pointer; ignored.
ASAN:SIGSEGV
==11802==ERROR: AddressSanitizer: SEGV on unknown address 0x62410000c2c3 (pc 0x7f69ca832cf0 bp 0x7ffc8db8ae20 sp 0x7ffc8db8a5a8 T0)
#0 0x7f69ca832cef (/lib/x86_64-linux-gnu/libc.so.6+0x160cef)
#1 0x7f69cbb125d0 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c5d0)
#2 0x7f69cadd3b06 in void std::__cxx11::basic_string<char, std::char_traits, std::allocator >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x121b06)
#3 0x7f69cadd3c04 in std::__cxx11::basic_string<char, std::char_traits, std::allocator >::basic_string(char const*, unsigned long, std::allocator const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x121c04)
#4 0x7f69cb4a9057 in Exiv2::StringValueBase::read(unsigned char const*, long, Exiv2::ByteOrder) /root/fuzzing/exiv2-trunk/src/value.cpp:302
#5 0x7f69cb498d08 in Exiv2::Internal::TiffReader::readTiffEntry(Exiv2::Internal::TiffEntryBase*) /root/fuzzing/exiv2-trunk/src/tiffvisitor.cpp:1541
#6 0x7f69cb4954be in Exiv2::Internal::TiffReader::visitEntry(Exiv2::Internal::TiffEntry*) /root/fuzzing/exiv2-trunk/src/tiffvisitor.cpp:1204
#7 0x7f69cb46397c in Exiv2::Internal::TiffEntry::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:896
#8 0x7f69cb463909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#9 0x7f69cb463cc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
#10 0x7f69cb463909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#11 0x7f69cb464351 in Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:949
#12 0x7f69cb463909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#13 0x7f69cb4641bf in Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:938
#14 0x7f69cb463909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#15 0x7f69cb463cc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
#16 0x7f69cb463909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#17 0x7f69cb46407e in Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:931
#18 0x7f69cb463909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#19 0x7f69cb463cc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
#20 0x7f69cb463909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
#21 0x7f69cb47c451 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:2011
#22 0x7f69cb47b267 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::()(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:1900
#23 0x7f69cb479a82 in Exiv2::TiffParser::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:266
#24 0x7f69cb37643e in Exiv2::ExifParser::decode(Exiv2::ExifData&, unsigned char const*, unsigned int) /root/fuzzing/exiv2-trunk/src/exif.cpp:629
#25 0x7f69cb3b6030 in Exiv2::JpegBase::readMetadata() /root/fuzzing/exiv2-trunk/src/jpgimage.cpp:386
#26 0x43ab02 in Action::Print::printSummary() /root/fuzzing/exiv2-trunk/src/actions.cpp:289
#27 0x43a1af in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /root/fuzzing/exiv2-trunk/src/actions.cpp:244
#28 0x422129 in main /root/fuzzing/exiv2-trunk/src/exiv2.cpp:170
#29 0x7f69ca6f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#30 0x421af8 in _start (/usr/local/exiv2_ASAN/bin/exiv2+0x421af8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==11802==ABORTING
[reply] [−] Comment 2 Liu Zhu 2017-09-23 01:15:42 EDT
./exiv2 -V
exiv2 0.26 001a00 (64 bit build)
Copyright (C) 2004-2017 Andreas Huggel.
The text was updated successfully, but these errors were encountered: