Segmentation fault in exiv2

[5hadowblad3]

There are is a segmentation fault happened in exiv2 correlated to getUShort.

Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
gcc: 5.4.0

The compile command is:
cmake ./ ;make

To reproduce the issue, run:
./exiv2 input

Here is the trace reported by asan:

=================================================================
==170768==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc5ab442080 (pc 0x7fc4b2978cd0 bp 0x0fffddc18c2e sp 0x7ffeee0c6140 T0)
#0 0x7fc4b2978ccf in unsigned short Exiv2::getUShort<unsigned char const*>(Exiv2::Slice<unsigned char const*> const&, Exiv2::ByteOrder) /home/heqing/playground/exiv2-0.27.1-Source-a/include/exiv2/types.hpp:300
#1 0x7fc4b2978ccf in Exiv2::getUShort(unsigned char const*, Exiv2::ByteOrder) /home/heqing/playground/exiv2-0.27.1-Source-a/src/types.cpp:280
#2 0x7fc4b30a1637 in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/heqing/playground/exiv2-0.27.1-Source-a/src/crwimage_int.cpp:286
#3 0x7fc4b1ce6fb7 in Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) /home/heqing/playground/exiv2-0.27.1-Source-a/src/crwimage.cpp:150
#4 0x7fc4b1cf4475 in Exiv2::CrwImage::readMetadata() /home/heqing/playground/exiv2-0.27.1-Source-a/src/crwimage.cpp:107
#5 0x77b36d in Action::Print::printSummary() /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:286
#6 0x79935f in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:246
#7 0x410f18 in main /home/heqing/playground/exiv2-0.27.1-Source-a/src/exiv2.cpp:169
#8 0x7fc4ae9ee82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x41abb8 in _start (/home/heqing/playground/exiv2-0.27.1-Source-a/build/bin/exiv2+0x41abb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/heqing/playground/exiv2-0.27.1-Source-a/include/exiv2/types.hpp:300 unsigned short Exiv2::getUShort<unsigned char const*>(Exiv2::Slice<unsigned char const*> const&, Exiv2::ByteOrder)
==170768==ABORTING

The original program output is segmentation fault.

The attachment is the poc input.
poc_input.zip

[clanmills]

Thank you for reporting this.

I build 0.27.1 from source on Linux and reproduced your report.

I'm unable to reproduce this with Exiv2 v0.27.2 (the current release). I've build this with/without ASAN on both Ubuntu (18.04) and MacOSX (Mojave 14.6). I've also 'master' on Linux (with ASAN support).

$ cd ~/gnu/github/exiv2/0.27-maintenance
$ mkdir asan_build
$ cd asan_build/
$ cmake .. -DEXIV2_TEAM_USE_SANITIZERS=On
$ make
$ bin/exiv2 --version
exiv2 0.27.2

This program is free software; you can redistribute it and/or
..........
Boston, MA 02110-1301 USA
$ bin/exiv2 ~/Downloads/poc_input 
Exiv2 exception in print action for file /Users/rmills/Downloads/poc_input:
corrupted image metadata
$ bin/exiv2 -pR ~/Downloads/poc_input 
Exiv2 exception in print action for file /Users/rmills/Downloads/poc_input:
Image type /Users/rmills/Downloads/poc_input is not supported
$

[5hadowblad3]

Yes, I think the new version of exiv2 has fixed this issue.

[clanmills]

Very good. I will close this issue. If you discover any else concerning this, I will be happy to re-open and continue our discussion.

[msmeissn]

this was fixed by commit c0ecc2a I think. and issue 843

[msmeissn]

Inrtoduced by:

commit b3d077d
Author: Robin Mills robin@clanmills.com
Date: Sat Oct 13 11:38:56 2018 +0200

Fix #460 by adding more checks in CiffDirectory::readDirectory

I think during 0.27 development

[wangdada-love]

Hello, I have encountered a similar issue. I wrote a test code to write meta data to an image. Previously, this code compiled successfully and ran without errors. However, after recompiling the Exiv2 library and replacing it, when I recompiled the code, it resulted in a segmentation fault. What could be the reason behind this, and are there any solutions?

code：

#include <iostream>
#include <exiv2/exiv2.hpp> // 
#include <exiv2/image.hpp> // 
#include <numeric>
#include <chrono>
#include <string>
#include <ctime>

struct MetaData{
//   const char* model_version;
//   const char* time;
    std::string model_version;
    std::string time;
    std::string mmTime;
};

std::string FindExifKey(Exiv2::ExifData &ed, std::string key)
{
	Exiv2::ExifKey tmp = Exiv2::ExifKey(key);
	Exiv2::ExifData::iterator pos = ed.findKey(tmp);
	if (pos == ed.end())
	{
		return "Unknow";
	}
	return pos->value().toString();
}

MetaData getMeta(){
    struct MetaData meta;
    meta.model_version = "test";
    std::chrono::system_clock::time_point now = std::chrono::system_clock::now();
    std::time_t currentTime = std::chrono::system_clock::to_time_t(now);
    tm* localTime = localtime(&currentTime);
    char ctimeInfo[32];
    std::strftime(ctimeInfo, 32, "%Y:%m:%d %H:%M:%S", localTime);
    std::chrono::milliseconds currentMs = std::chrono::duration_cast<std::chrono::milliseconds>(now.time_since_epoch()) % 1000;
    meta.time = std::string(ctimeInfo);// .c_str(); // "2021:04:17 10:00:00";
    meta.mmTime = std::to_string(currentMs.count());
    return meta;
}

int main() {
    // const char* filename = "test.jpg";
    // std::string filename = "test.jpg";
    const char*  filename = "1.jpeg";
    
    struct MetaData meta = getMeta();
    std::cout << "read filename: " << filename << std::endl;

    Exiv2::Image::AutoPtr image = Exiv2::ImageFactory::open(filename);
    std::cout << "read done! filename: " << filename << std::endl;
    image->readMetadata();

    Exiv2::ExifData exifData;

    exifData["Exif.Image.DateTime"] = meta.time;
    exifData["Exif.Photo.UserComment"] = meta.model_version;
    exifData["Exif.Photo.SubSecTime"] = meta.mmTime;
    image->setExifData(exifData);
    image->writeMetadata();

    return 0;
}