AddressSanitizer: heap-buffer-overflow in PngImage::readMetadata() pngimage.cpp:438

[cuanduo]

Describe the bug
in my research , a heap overflow found in Exiv2::readChunk(Exiv2::DataBuf&, Exiv2::BasicIo&) /src/pngimage.cpp:410.

To Reproduce
exiv2 -pv $poc
poc.zip

Expected behavior

=================================================================
==6866==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000001b0 at pc 0x7f6fac214733 bp 0x7ffdf4470950 sp 0x7ffdf44700f8
READ of size 8 at 0x6030000001b0 thread T0
    #0 0x7f6fac214732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
    #1 0x7f6fab7af723 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x7f6fab7af723 in Exiv2::MemIo::read(unsigned char*, unsigned long) /home/tim/exiv2-asan/src/basicio.cpp:1354
    #3 0x7f6faba0b142 in Exiv2::readChunk(Exiv2::DataBuf&, Exiv2::BasicIo&) /home/tim/exiv2-asan/src/pngimage.cpp:410
    #4 0x7f6faba182f9 in Exiv2::PngImage::readMetadata() /home/tim/exiv2-asan/src/pngimage.cpp:438
    #5 0x7f6fab8faa9c in Exiv2::PgfImage::readMetadata() /home/tim/exiv2-asan/src/pgfimage.cpp:153
    #6 0x559495100458 in Action::Print::printList() /home/tim/exiv2-asan/src/actions.cpp:483
    #7 0x55949510629d in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/tim/exiv2-asan/src/actions.cpp:218
    #8 0x55949507e692 in main /home/tim/exiv2-asan/src/exiv2.cpp:77
    #9 0x7f6faac58b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x55949507f359 in _start (/home/tim/exiv2-asan/build/bin/exiv2+0x18359)

0x6030000001b0 is located 2 bytes to the right of 30-byte region [0x603000000190,0x6030000001ae)
allocated by thread T0 here:
    #0 0x7f6fac27b618 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
    #1 0x7f6fab97f0e3 in Exiv2::DataBuf::DataBuf(unsigned long) /home/tim/exiv2-asan/src/types.cpp:144

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 06 fa fa fd fd
  0x0c067fff8010: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8020: fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 00 fa
=>0x0c067fff8030: fa fa 00 00 00 06[fa]fa 00 00 00 fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6866==ABORTING

Desktop (please complete the following information):

• ubuntu18
• gcc 7.4.0
• -fsanitize=address -g

[piponazo]

As in #954, I could not reproduce the issue on master nor in 0.27-maintenance. I tried with gcc 7 and 8, and clang 6, using address sanitizer and release and debug modes ... am I missing something ?

[cuanduo]

As in #954, I could not reproduce the issue on master nor in 0.27-maintenance. I tried with gcc 7 and 8, and clang 6, using address sanitizer and release and debug modes ... am I missing something ?

in master
and version the day 7.12 when i test
git checkout -b c4f8561

[shassard]

I just ran into this problem related to KDE's baloo file indexer loading metadata from a corrupt png from libpng's test suite:

https://bugs.kde.org/show_bug.cgi?id=409958

Specifically it was the file:
http://prdownloads.sourceforge.net/libpng/libpng-1.6.37.tar.xz?download
./libpng-1.6.37/contrib/testpngs/crashers/empty_ancillary_chunks.png

[shassard]

On Ubuntu with exvi2 0.27.1-0+18.04+bionic+build12:

`
testpngs/crashers% exiv2 -pv empty_ancillary_chunks.png

zsh: segmentation fault exiv2 -pv empty_ancillary_chunks.png
`

[piponazo]

@shassard I could reproduce the issue on the tag 0.27.1 👍

However the problem seems to be fixed on the latest version of the branch 0.27-maintenance and in master too.

@cuanduo Could you please tell me the compiler flags you are using when compiling on master? I would like to try exactly with your same setup to be able to reproduce the issue on my side. Otherwise I cannot work on it.

[cuanduo]

@shassard I could reproduce the issue on the tag 0.27.1 +1

However the problem seems to be fixed on the latest version of the branch 0.27-maintenance and in master too.

@cuanduo Could you please tell me the compiler flags you are using when compiling on master? I would like to try exactly with your same setup to be able to reproduce the issue on my side. Otherwise I cannot work on it.

it has been fixed by commit bd0afe0 master

[piponazo]

@cuanduo could you please check if the issues #952 and #954 are also solved in the latest master version and close the issues if so?

[cuanduo]

@cuanduo could you please check if the issues #952 and #954 are also solved in the latest master version and close the issues if so?

yes, it can be closed.