Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow, leading to very large allocation in PngImage::readMetadata() #790

Closed
kevinbackhouse opened this issue Apr 24, 2019 · 1 comment

Comments

@kevinbackhouse
Copy link
Collaborator

This issue is closely related to #789, but the consequences of this bug are different. The calculation of chunkLength - iccOffset at pngimage.cpp:472 can have a negative integer overflow which leads to an 8GB memory allocation in zlibToDataBuf. Also, the zlib decompression is run on uninitialized memory beyond the end of the buffer, so there is a potential info leak vulnerability here.

Here is the PoC, which I have tested on master (55dfdb9): poc2. The simplest way to see the bug is to use ulimit to reduce the amount of available memory to less than 8GB:

$ ulimit -v 8000000
$ exiv2 poc2.png 
Uncaught exception: std::bad_alloc
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 25, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue May 2, 2019
mergify bot pushed a commit that referenced this issue May 5, 2019
This fixes #790.

(cherry picked from commit 6fa2e31)

# Conflicts:
#	src/pngimage.cpp
piponazo pushed a commit that referenced this issue May 5, 2019
1div0 pushed a commit to 1div0/exiv2 that referenced this issue May 5, 2019
piponazo pushed a commit that referenced this issue May 18, 2019
@kevinbackhouse
Copy link
Collaborator Author

This has been assigned CVE-2019-13109.

dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant