Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

buffer overflow in exiv2/src/webpimage.cpp #960

Closed
boo0m opened this issue Jul 15, 2019 · 4 comments
Closed

buffer overflow in exiv2/src/webpimage.cpp #960

boo0m opened this issue Jul 15, 2019 · 4 comments
Labels

Comments

@boo0m
Copy link

boo0m commented Jul 15, 2019

Describe the bug
I found a buffer overflow bugs in exiv2/src/webpimage.cpp:837 due to integer overflow.
To Reproduce
Steps to reproduce the behaviour:
exiv2/build/bin/exiv2 exiv2_getHeaderOffset.poc

Expected behavior
In Exiv2::WebPImage::getHeaderOffset, integer overflow occurs when data_size is less than header_size, and it will cause buffer overflow in '&data[i]'.
image

#0  0x00007ffff784ce88 in Exiv2::WebPImage::getHeaderOffset (this=<optimized out>, data=0x71a2e0 "\300\\\310\366\377\177", data_size=0x0, header_size=0x4, header=<optimized out>) at /data/Exiv2_AFL/exiv2/src/webpimage.cpp:837
#1  Exiv2::WebPImage::decodeChunks (this=<optimized out>, filesize=<optimized out>) at /data/Exiv2_AFL/exiv2/src/webpimage.cpp:632
#2  0x00007ffff784b2e0 in Exiv2::WebPImage::readMetadata (this=0x719820) at /data/Exiv2_AFL/exiv2/src/webpimage.cpp:508
#3  0x000000000049d59d in Action::Print::printSummary (this=0x71a950) at /data/Exiv2_AFL/exiv2/src/actions.cpp:260
#4  0x000000000049cf30 in Action::Print::run (this=0x71a950, Python Exception <class 'gdb.error'> There is no member named _M_dataplus.:
path=) at /data/Exiv2_AFL/exiv2/src/actions.cpp:215
#5  0x00000000004094e6 in main (argc=<optimized out>, argc@entry=0x2, argv=<optimized out>, argv@entry=0x7fffffffe6c8) at /data/Exiv2_AFL/exiv2/src/exiv2.cpp:77
#6  0x00007ffff68bbb97 in __libc_start_main (main=0x408b30 <main(int, char* const*)>, argc=0x2, argv=0x7fffffffe6c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6b8) at ../csu/libc-start.c:310
#7  0x0000000000408a6a in _start ()

   0x7ffff784ce77 <Exiv2::WebPImage::decodeChunks(long)+4279>:	mov    rcx,QWORD PTR [rsp+0x8]
   0x7ffff784ce7c <Exiv2::WebPImage::decodeChunks(long)+4284>:	mov    rdx,QWORD PTR [rsp]
   0x7ffff784ce80 <Exiv2::WebPImage::decodeChunks(long)+4288>:	lea    rsp,[rsp+0x98]
=> 0x7ffff784ce88 <Exiv2::WebPImage::decodeChunks(long)+4296>:	cmp    DWORD PTR [rcx+rsi*1],0xe1ff01ff
   0x7ffff784ce8f <Exiv2::WebPImage::decodeChunks(long)+4303>:	je     0x7ffff784d858 <Exiv2::WebPImage::decodeChunks(long)+6808>
   0x7ffff784ce95 <Exiv2::WebPImage::decodeChunks(long)+4309>:	nop    DWORD PTR [rax]
   0x7ffff784ce98 <Exiv2::WebPImage::decodeChunks(long)+4312>:	lea    rsp,[rsp-0x98]
   0x7ffff784cea0 <Exiv2::WebPImage::decodeChunks(long)+4320>:	mov    QWORD PTR [rsp],rdx


RCX: 0x71a2e0
RSI: 0xdd1d

The poc is here:
Just do 'exiv2/build/bin/exiv2 exiv2_getHeaderOffset.poc'

exiv2_getHeaderOffset.poc.zip

@piponazo
Copy link
Collaborator

Thanks @boo0m for reporting. I could not reproduce a crash under the latest version of 0.27-maintenace. I was obtaining the following output message from exiv2:

$ bin/exiv2 /media/linuxDev/exiv2/exiv2_getHeaderOffset.poc
Exiv2 exception in print action for file /media/linuxDev/exiv2/exiv2_getHeaderOffset.poc:
corrupted image metadata

Nonetheless the analysis is correct, and I added a regression test and the fix for this issue to throw as soon as we encounter we try to read out of the bounds. See #962

@D4N
Copy link
Member

D4N commented Jul 15, 2019

The POC results in a crash on master.

piponazo added a commit that referenced this issue Jul 15, 2019
mergify bot pushed a commit that referenced this issue Jul 15, 2019
(cherry picked from commit a048325)
@boo0m
Copy link
Author

boo0m commented Jul 25, 2019

Could you please request/assign a CVE for this bug? Thanks. @piponazo @D4N

@ret2libc
Copy link

CVE-2019-14982 has been assigned to this flaw.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants