New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integer overflow, leading to very large allocation in WebPImage::decodeChunks() #791
Comments
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
Apr 26, 2019
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
Apr 26, 2019
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
Apr 30, 2019
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
Apr 30, 2019
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
May 2, 2019
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
May 6, 2019
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
May 6, 2019
kevinbackhouse
added a commit
to kevinbackhouse/exiv2
that referenced
this issue
May 12, 2019
piponazo
pushed a commit
that referenced
this issue
May 12, 2019
piponazo
pushed a commit
that referenced
this issue
May 12, 2019
|
This has been assigned CVE-2019-13111. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is a bug at webpimage.cpp:515. If
filesize < io_->tell()then the subtraction overflows and the bounds check onsizeis ineffective.There is an additional problem in this function, which is that the error conditions are not checked after the calls to
io_->read. Calls toio_->readshould always be followed by calls toio_->error()andio_->eof(), to make sure that the buffer was read successfully. This means that the code does not notice that the file size is much smaller than the value ofsizewould suggest. This has enabled me to write a PoC which causes exiv2 to run for almost a minute, scanning 4GB of uninitialized memory.Here is the PoC, which I have tested on master (55dfdb9):
. You can run the PoC like this to see the long-running behavior:
Or if you use
ulimitto lower the maximum allocation size to less than 4GB then exiv2 will crash:The text was updated successfully, but these errors were encountered: