New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug report] Program crash due to uncontrolled memory allocation on function DataBuf data(subBox.length-sizeof(box)) #742
Comments
|
I also use gdb to debug the program, I will show you the process. you can see that in The DataBuf data() try to consume too much memory, leading to program crash. |
|
Thanks for the report, that is indeed a nasty bug. Looks like an integer overflow as the input is not scrubbed. It's unlikely though that I'll be able to tackle this before #740 is done & merged, as the code where you found the issue is not really covered by tests. |
|
I will investigate the issue. It is also reproducible on Windows+MSVC |
(cherry picked from commit 1bdd3ea)
(cherry picked from commit 885dd2a)
Hi there,
An issue was discovered in DataBuf data(subBox.length-sizeof(box)) function in image.cpp, as distributed in master and version 0.27. There is an uncontrolled memory allocation problem, leading to a program crash. I have also confirmed this issue by using addressSanitizer.
Here is the POC file. Please use the “./exiv2 -pX $POC” to reproduce the bug.
POC.zip
The ASAN dumps the stack trace as follows:
The text was updated successfully, but these errors were encountered: