New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buffer overflow in exiv2/src/webpimage.cpp #960
Comments
|
Thanks @boo0m for reporting. I could not reproduce a crash under the latest version of Nonetheless the analysis is correct, and I added a regression test and the fix for this issue to throw as soon as we encounter we try to read out of the bounds. See #962 |
|
The POC results in a crash on master. |
(cherry picked from commit a048325)
|
CVE-2019-14982 has been assigned to this flaw. |
Describe the bug
I found a buffer overflow bugs in exiv2/src/webpimage.cpp:837 due to integer overflow.
To Reproduce
Steps to reproduce the behaviour:
exiv2/build/bin/exiv2 exiv2_getHeaderOffset.poc
Expected behavior

In Exiv2::WebPImage::getHeaderOffset, integer overflow occurs when data_size is less than header_size, and it will cause buffer overflow in '&data[i]'.
The poc is here:
Just do 'exiv2/build/bin/exiv2 exiv2_getHeaderOffset.poc'
exiv2_getHeaderOffset.poc.zip
The text was updated successfully, but these errors were encountered: