null pointer dereference in http.cpp

[kevinbackhouse]

There is a null pointer deference bug at http.cpp:364. If the http server sends back a reply that does not contain a space character, then strchr will return NULL, leading to a null pointer dereference in atoi.

To reproduce the bug (tested on master: 55dfdb9) open two terminals. In the first terminal, start a fake webserver using response1.txt:

cat response1.txt | sudo nc -l -p 80

In the second terminal, try to connect to the fake webserver:

exiv2 http://127.0.0.1/test.jpg

There are several other calls to strcat and strstr in the same block of code. I have not written PoCs for them, but the calls to strchr on lines 351 and 362 also look vulnerable to me.

[clanmills]

@kevinbackhouse Thanks for the reporting this and the other vulnerabilities you've found in the png and webp code.

Are you willing to work with Team Exiv2 to fix some of this stuff. Let me explain our situation:

We're a small group of volunteers (6 regulars). We are currently refactoring a lot of the code in C++11 for v0.28 and hope to complete that work in 2020. When that's in progress, we'll have quarterly "dot" releases of v0.27 with security and important bug fixes.

The guys doing the refactoring have to "break out" from their project to deal with those security fixes and they have to implemented for both v0.27 and v0.28.

Many of those security issues are small changes to the code (testing for integer overflow or testing null-pointers). If you'd be willing to get involved with the project and report both the fix and the issue, life would be less stressful for us.

Perhaps you could share your thoughts with us. You've reported 4 issues today. Is this the first of 40, or the last of 4?

Please understand that we appreciate you taking the time to find and report issues. However please understand that we are a small team and you can overwhelm us with your enthusiasm!

Team Exiv2 use "Slack" to talk to each other directly. If you send me your email address, I will invite you to join us. My email is robin@clanmills.com

[kevinbackhouse]

No problem. I'll prepare some PRs.

[D4N]

@kevinbackhouse Thanks for helping out! If you start working on something, please just make a quick note in that bug report so that no one else will start to work on that too.

In case you want to tackle the integer overflow issues, then please take a look at src/safe_op.hpp, that file contains primitives for overflow resistant additions (I never got to finish it for the remaining operations). If you have any questions, just ask here, or in a PR or join our slack.

[kevinbackhouse]

This has been assigned CVE-2019-13114.