Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow, leading to very large allocation in WebPImage::decodeChunks() #791

Closed
kevinbackhouse opened this issue Apr 24, 2019 · 1 comment · Fixed by #813
Closed

Comments

@kevinbackhouse
Copy link
Collaborator

There is a bug at webpimage.cpp:515. If filesize < io_->tell() then the subtraction overflows and the bounds check on size is ineffective.

There is an additional problem in this function, which is that the error conditions are not checked after the calls to io_->read. Calls to io_->read should always be followed by calls to io_->error() and io_->eof(), to make sure that the buffer was read successfully. This means that the code does not notice that the file size is much smaller than the value of size would suggest. This has enabled me to write a PoC which causes exiv2 to run for almost a minute, scanning 4GB of uninitialized memory.

Here is the PoC, which I have tested on master (55dfdb9):
poc1. You can run the PoC like this to see the long-running behavior:

$ time exiv2 poc1.jpg  
File name       : poc1.jpg
File size       : 28 Bytes
MIME type       : image/webp
Image size      : 0 x 0
poc1.jpg: No Exif data found in the file

real    0m52.738s
user    0m50.621s
sys     0m2.108s

Or if you use ulimit to lower the maximum allocation size to less than 4GB then exiv2 will crash:

$ ulimit -v 4000000
$ exiv2 poc1.jpg
Uncaught exception: std::bad_alloc
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 26, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 26, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 30, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 30, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue May 2, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue May 6, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue May 6, 2019
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue May 12, 2019
@kevinbackhouse
Copy link
Collaborator Author

This has been assigned CVE-2019-13111.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant