Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-11338: infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp #51

Closed
rhertzog opened this issue Aug 31, 2017 · 2 comments
Closed

CVE-2017-11338: infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp #51

rhertzog opened this issue Aug 31, 2017 · 2 comments
Labels
bug
Milestone
v0.27

Comments

@rhertzog
Copy link

I'm forwarding a security vulnerability reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1470913

The file used to reproduce the issue is here:
https://bugzilla.redhat.com/attachment.cgi?id=1298062
(it's a rar archive containing the file used to reproduce the issue)

Here's a copy of the report:

$./exiv2 POC4
RW2 IMAGE

GDB debugging information is as follows:
(gdb) set args POC4
(gdb) r
 ...
(gdb) bt
#0  Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=Exiv2::kpsRecursive, start=0, 
    bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:492
#1  0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x611000009dc0, io=..., out=..., 
    option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518
#2  0x00007ffff724924c in Exiv2::Rw2Image::printStructure (this=<optimized out>, out=..., option=<optimized out>, 
    depth=<optimized out>) at rw2image.cpp:115
#3  0x00007ffff724a1dc in Exiv2::Rw2Image::readMetadata (this=<optimized out>) at rw2image.cpp:134
#4  0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289
#5  0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244
#6  0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170

This vulnerability was triggered in Exiv2::Image::printIFDStructure () at image.cpp:492,which will result in a infinite loop.

 348         do {
 349             // Read top of directory
 350             io.seek(start,BasicIo::beg);
 351             io.read(dir.pData_, 2);
 352             uint16_t   dirLength = byteSwap2(dir,0,bSwap);
 353 
 354             bool tooBig = dirLength > 500;
 355             if ( tooBig ) throw Error(55);
 356 
 357             if ( bFirst && bPrint ) {
 359                 if ( tooBig ) out << Internal::indent(depth) << "dirLength = " << dirLength << std::endl;
 360             }
 361 
 ...
 491             if ( start ) {
 492                 io.read(dir.pData_, 4);
 493                 start = tooBig ? 0 : byteSwap4(dir,0,bSwap);
 494             }
 495         } while (start) ;

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
@D4N
Copy link
Member

D4N commented Oct 1, 2017

This should have been fixed by #79.

D4N added a commit to D4N/exiv2 that referenced this issue Oct 2, 2017
@D4N
Add POC3, POC4, POC5, POC6, POC9, POC11, POC12 & POC13 to the test suite
751905c 
These are files which reproduce the github issues Exiv2#50, Exiv2#51, Exiv2#52, Exiv2#53,
 Exiv2#54, Exiv2#58, Exiv2#59 and Exiv2#60
@D4N D4N mentioned this issue Oct 2, 2017
Merged
@piponazo piponazo added the bug label Oct 12, 2017
D4N added a commit to D4N/exiv2 that referenced this issue Oct 15, 2017
@D4N
Add POC3, POC4, POC5, POC6, POC9, POC11, POC12 & POC13 to the test suite
751312f 
These are files which reproduce the github issues Exiv2#50, Exiv2#51, Exiv2#52, Exiv2#53,
 Exiv2#54, Exiv2#58, Exiv2#59 and Exiv2#60
@D4N D4N mentioned this issue Oct 15, 2017
Merged
@D4N
Copy link
Member

D4N commented Oct 18, 2017

The patch is now in 0.26

@D4N D4N closed this as completed Oct 18, 2017
@potuz potuz mentioned this issue Nov 7, 2017
Closed
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Jan 7, 2018
@D4N @dirkmueller
Add POC3, POC4, POC5, POC6, POC9, POC11, POC12 & POC13 to the test suite
fae9762 
These are files which reproduce the github issues Exiv2#50, Exiv2#51, Exiv2#52, Exiv2#53,
 Exiv2#54, Exiv2#58, Exiv2#59 and Exiv2#60

(cherry picked from commit 751312f)
@cool-tomato cool-tomato mentioned this issue Nov 2, 2018
Closed
@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v0.27
Development

No branches or pull requests
4 participants
@piponazo @clanmills @D4N @rhertzog