Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV in PngImage::readMetadata() #789

Closed
kevinbackhouse opened this issue Apr 24, 2019 · 2 comments
Closed

SIGSEGV in PngImage::readMetadata() #789

kevinbackhouse opened this issue Apr 24, 2019 · 2 comments

Comments

@kevinbackhouse
Copy link
Collaborator

kevinbackhouse commented Apr 24, 2019

There is a bug at pngimage.cpp:469. If iccOffset == 0, which happens if chunkLength == 0, then Exiv2 crashes with a SIGSEGV.

Here is the PoC, which I have tested on master (55dfdb9): poc1. You can run the PoC like this:

$ exiv2 poc1.png
Segmentation fault (core dumped)
@kevinbackhouse
Copy link
Collaborator Author

I have started working on a fix for this.

kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue May 2, 2019
D4N pushed a commit to kevinbackhouse/exiv2 that referenced this issue May 5, 2019
D4N pushed a commit to kevinbackhouse/exiv2 that referenced this issue May 5, 2019
piponazo pushed a commit that referenced this issue May 6, 2019
mergify bot pushed a commit that referenced this issue May 6, 2019
This fixes #789.

(cherry picked from commit 8cd95e2)

# Conflicts:
#	src/pngimage.cpp
piponazo pushed a commit that referenced this issue May 6, 2019
piponazo pushed a commit that referenced this issue May 6, 2019
piponazo pushed a commit that referenced this issue May 18, 2019
@kevinbackhouse
Copy link
Collaborator Author

This has been assigned CVE-2019-13108.

dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant