Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullPointer in Action.c:718 #5

Closed
tl455047 opened this issue Aug 18, 2021 · 1 comment
Closed

NullPointer in Action.c:718 #5

tl455047 opened this issue Aug 18, 2021 · 1 comment

Comments

@tl455047
Copy link

Hello, I found a null pointer as argument of strncpy at Action.c:718.
This can be triggered by specific command line arguments.
version: exif-0.6.22
system: ubuntu-20.04
build: with asan
POC: poc.zip
command:

./exif --no-fixup -x poc

asan

AddressSanitizer:DEADLYSIGNAL
=================================================================
==223657==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8126ddd821 bp 0x7ffeba289580 sp 0x7ffeba288ce8 T0)
==223657==The signal is caused by a READ memory access.
==223657==Hint: address points to the zero page.
    #0 0x7f8126ddd820  (/lib/x86_64-linux-gnu/libc.so.6+0x18b820)
    #1 0x7f812700f5bf in __interceptor_strncpy (/lib/x86_64-linux-gnu/libasan.so.5+0xba5bf)
    #2 0x55a122fb278a in show_entry_xml /home/tl455047/target/exif/exif/actions.c:718
    #3 0x7f8126e8cbfe in exif_content_foreach_entry /home/tl455047/target/libexif/libexif/exif-content.c:225
    #4 0x7f8126e8cbfe in exif_content_foreach_entry /home/tl455047/target/libexif/libexif/exif-content.c:216
    #5 0x7f8126e98cfa in exif_data_foreach_content /home/tl455047/target/libexif/libexif/exif-data.c:1174
    #6 0x7f8126e98cfa in exif_data_foreach_content /home/tl455047/target/libexif/libexif/exif-data.c:1165
    #7 0x55a122fbbfba in action_tag_list_xml /home/tl455047/target/exif/exif/actions.c:747
    #8 0x55a122fb09b1 in main /home/tl455047/target/exif/exif/main.c:474
    #9 0x7f8126c790b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x55a122fb0e2d in _start (/home/tl455047/target/exif/exif/exif+0xce2d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b820) 
==223657==ABORTING

without asan

<exif>
	<Manufacturer>Canon</Manufacturer>
	<Model>Canon EOS 40D</Model>
	<Orientation>Top-left</Orientation>
	<Y-Resolution>72</Y-Resolution>
	<Resolution_Unit>Inch</Resolution_Unit>
	<Software>GIMP 2.4.5</Software>
	<Date_and_Time>2008:07:31 10:38:11</Date_and_Time>
	<YCbCr_Positioning>Co-sited</YCbCr_Positioning>
Segmentation fault

gdb

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────
*RAX  0x0
 RBX  0xffffffff91a ◂— 0x0
*RCX  0xa5
 RDX  0x400
 RDI  0x7fffffffcd70 ◂— 'YCbCr_Positioning'
*RSI  0x0
*R8   0xa5
*R9   0x606000002250 —▸ 0x603000000220 —▸ 0x60e000000040 —▸ 0x604000000510 —▸ 0x50000829a ◂— ...
*R10  0xc080000018a ◂— 0x0
*R11  0x0
 R12  0x7fffffffd210 ◂— 0x0
 R13  0x7fffffffcd70 ◂— 'YCbCr_Positioning'
*R14  0x604000000c50 —▸ 0x40000a925 ◂— 0x0
 R15  0x603000000160 —▸ 0x607000000560 —▸ 0x604000000250 —▸ 0x20000010f ◂— 0x0
 RBP  0x7fffffffc8d0 ◂— 0x41b58ab3
 RSP  0x7fffffffc8c0 —▸ 0x7fffffffc8d0 ◂— 0x41b58ab3
 RIP  0x555555562786 (show_entry_xml+518) ◂— call   0x55555555edb0
────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x555555562786 <show_entry_xml+518>    call   strncpy@plt                <strncpy@plt>
        dest: 0x7fffffffcd70 ◂— 'YCbCr_Positioning'
        src: 0x0
        n: 0x400
 
   0x55555556278b <show_entry_xml+523>    lea    rdi, [r12 - 0xa1]
   0x555555562793 <show_entry_xml+531>    mov    r15, rdi
   0x555555562796 <show_entry_xml+534>    mov    rdx, rdi
   0x555555562799 <show_entry_xml+537>    shr    r15, 3
   0x55555556279d <show_entry_xml+541>    and    edx, 7
   0x5555555627a0 <show_entry_xml+544>    movzx  eax, byte ptr [r15 + 0x7fff8000]
   0x5555555627a8 <show_entry_xml+552>    cmp    al, dl
   0x5555555627aa <show_entry_xml+554>    jg     show_entry_xml+564                <show_entry_xml+564>
 
   0x5555555627ac <show_entry_xml+556>    test   al, al
   0x5555555627ae <show_entry_xml+558>    jne    show_entry_xml+2052                <show_entry_xml+2052>
─────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/tl455047/target/exif/exif/actions.c
   713 	if (*ids) {
   714 		fprintf (stdout, "<x%04x>", e->tag);
   715 		fprintf (stdout, "%s", escape_xml(exif_entry_get_value (e, v, sizeof (v))));
   716 		fprintf (stdout, "</x%04x>", e->tag);
   717 	} else {
 ► 718 		strncpy (t, exif_tag_get_title_in_ifd(e->tag, exif_entry_get_ifd(e)), sizeof (t));
   719 		t[sizeof(t)-1] = 0;
   720 
   721 		/* Remove invalid characters from tag eg. (, ), space */
   722 		remove_bad_chars(t);
   723 
─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffc8c0 —▸ 0x7fffffffc8d0 ◂— 0x41b58ab3
01:0008│     0x7fffffffc8c8 —▸ 0x7ffff74636a0 (_IO_2_1_stdout_) —▸ 0xfbad2a84 ◂— 0x0
02:0010│ rbp 0x7fffffffc8d0 ◂— 0x41b58ab3
03:0018│     0x7fffffffc8d8 —▸ 0x555555577488 ◂— '2 32 1024 5 v:711 1184 1024 5 t:711'
04:0020│     0x7fffffffc8e0 —▸ 0x555555562580 (show_entry_xml) ◂— lea    rsp, [rsp - 0x98]
05:0028│     0x7fffffffc8e8 —▸ 0x7ffff730aad1 (_IO_do_write+177) ◂— mov    r13, rax
06:0030│     0x7fffffffc8f0 ◂— 'Co-sited'
07:0038│     0x7fffffffc8f8 ◂— 0x0
───────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x555555562786 show_entry_xml+518
   f 1   0x7ffff74b1bff exif_content_foreach_entry+255
   f 2   0x7ffff74b1bff exif_content_foreach_entry+255
   f 3   0x7ffff74bdcfb exif_data_foreach_content+187
   f 4   0x7ffff74bdcfb exif_data_foreach_content+187
   f 5   0x55555556bfbb action_tag_list_xml+379
   f 6   0x5555555609b2 main+5554
   f 7   0x7ffff729e0b3 __libc_start_main+243
@msmeissn
Copy link
Contributor

thanks for the report, I added a NULL check to this place.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msmeissn @tl455047