Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failure in TiffMnEntry::doCount() #1833

Closed
kevinbackhouse opened this issue Aug 3, 2021 · 2 comments · Fixed by #1834
Closed

assertion failure in TiffMnEntry::doCount() #1833

kevinbackhouse opened this issue Aug 3, 2021 · 2 comments · Fixed by #1834
Assignees
@kevinbackhouse
Milestone
v0.27.5

Comments

@kevinbackhouse
Copy link
Collaborator

kevinbackhouse commented Aug 3, 2021
edited
Loading

I have only been able to reproduce this bug with the fuzzer, but I think it is a good idea to fix it regardless.

Reproduction steps (main branch):

mkdir build-fuzz
cd build-fuzz
cmake -DCMAKE_BUILD_TYPE=Debug -DEXIV2_ENABLE_PNG=ON -DEXIV2_ENABLE_WEBREADY=ON -DEXIV2_ENABLE_CURL=ON -DEXIV2_ENABLE_BMFF=ON -DEXIV2_TEAM_WARNINGS_AS_ERRORS=ON -DCMAKE_CXX_COMPILER=$(which clang++) -DEXIV2_BUILD_FUZZ_TESTS=ON -DEXIV2_TEAM_USE_SANITIZERS=ON ..
make -j $(nproc)
./bin/fuzz-read-print-write poc.jpg

poc: poc

output:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3168395962
INFO: Loaded 2 modules   (43989 inline 8-bit counters): 43941 [0x7f6024fc1fb0, 0x7f6024fccb55), 48 [0x4f2140, 0x4f2170), 
INFO: Loaded 2 PC tables (43989 PCs): 43941 [0x7f6024fccb58,0x7f60250785a8), 48 [0x4c6d58,0x4c7058), 
./bin/fuzz-read-print-write: Running 1 inputs 1 time(s) each.
Running: poc.jpg
fuzz-read-print-write: /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1004: virtual uint32_t Exiv2::Internal::TiffMnEntry::doCount() const: Assertion `tiffType() == ttUndefined || tiffType() == ttUnsignedByte || tiffType() == ttSignedByte' failed.
==3566254== ERROR: libFuzzer: deadly signal
    #0 0x4b2a30 in __sanitizer_print_stack_trace (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x4b2a30)
    #1 0x45cbc8 in fuzzer::PrintStackTrace() (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x45cbc8)
    #2 0x441c53 in fuzzer::Fuzzer::CrashCallback() (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x441c53)
    #3 0x7f60247691ef  (/lib/x86_64-linux-gnu/libpthread.so.0+0x141ef)
    #4 0x7f602457afba in __libc_signal_restore_set signal/../sysdeps/unix/sysv/linux/internal-signals.h:105:3
    #5 0x7f602457afba in raise signal/../sysdeps/unix/sysv/linux/raise.c:47:3
    #6 0x7f6024560863 in abort stdlib/abort.c:79:7
    #7 0x7f6024560748 in __assert_fail_base assert/assert.c:92:3
    #8 0x7f60245723d5 in __assert_fail assert/assert.c:101:3
    #9 0x7f6024d7a134 in Exiv2::Internal::TiffMnEntry::doCount() const /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1004:9
    #10 0x7f6024d79f01 in Exiv2::Internal::TiffComponent::count() const /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:984:16
    #11 0x7f6024d7bdbe in Exiv2::Internal::TiffDirectory::writeDirEntry(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, Exiv2::Internal::TiffComponent*, unsigned int, unsigned int, unsigned int&) /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1189:37
    #12 0x7f6024d7b231 in Exiv2::Internal::TiffDirectory::doWrite(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int, unsigned int&) /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1120:20
    #13 0x7f6024d7ab2e in Exiv2::Internal::TiffComponent::write(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int, unsigned int&) /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1048:16
    #14 0x7f6024d7f5f0 in Exiv2::Internal::TiffSubIfd::doWriteData(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int&) const /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1503:25
    #15 0x7f6024d7c072 in Exiv2::Internal::TiffComponent::writeData(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int&) const /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1439:16
    #16 0x7f6024d7ee0f in Exiv2::Internal::TiffDirectory::doWriteData(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int&) const /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1450:31
    #17 0x7f6024d7c072 in Exiv2::Internal::TiffComponent::writeData(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int&) const /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1439:16
    #18 0x7f6024d7b708 in Exiv2::Internal::TiffDirectory::doWrite(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int, unsigned int&) /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1164:16
    #19 0x7f6024d7ab2e in Exiv2::Internal::TiffComponent::write(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int, unsigned int&) /home/kev/work/exiv2_mergify/src/tiffcomposite_int.cpp:1048:16
    #20 0x7f6024d9ccc1 in Exiv2::Internal::TiffParserWorker::encode(Exiv2::BasicIo&, unsigned char const*, unsigned int, Exiv2::ExifData const&, Exiv2::IptcData const&, Exiv2::XmpData const&, unsigned int, void (Exiv2::Internal::TiffEncoder::* (*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase*, Exiv2::Exifdatum const*), Exiv2::Internal::TiffHeaderBase*, Exiv2::Internal::OffsetWriter*) /home/kev/work/exiv2_mergify/src/tiffimage_int.cpp:1934:26
    #21 0x7f6024b5964b in Exiv2::ExifParser::encode(std::vector<unsigned char, std::allocator<unsigned char> >&, unsigned char const*, unsigned int, Exiv2::ByteOrder, Exiv2::ExifData const&) /home/kev/work/exiv2_mergify/src/exif.cpp:751:26
    #22 0x7f6024bce9b1 in Exiv2::JpegBase::doWriteMetadata(Exiv2::BasicIo&) /home/kev/work/exiv2_mergify/src/jpgimage.cpp:1063:38
    #23 0x7f6024bcc8e7 in Exiv2::JpegBase::writeMetadata() /home/kev/work/exiv2_mergify/src/jpgimage.cpp:873:9
    #24 0x4b4674 in LLVMFuzzerTestOneInput /home/kev/work/exiv2_mergify/fuzz/fuzz-read-print-write.cpp:35:12
    #25 0x4433f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x4433f1)
    #26 0x42d0a2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x42d0a2)
    #27 0x433410 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x433410)
    #28 0x45d3a2 in main (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x45d3a2)
    #29 0x7f6024562564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #30 0x407bbd in _start (/home/kev/work/exiv2_mergify/build-temp/bin/fuzz-read-print-write+0x407bbd)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
@kevinbackhouse kevinbackhouse self-assigned this Aug 3, 2021
@kevinbackhouse
Copy link
Collaborator Author

Note: this is also reproducible on 0.27-maintenance. (I am in the process of back-porting the fuzzer to 0.27-maintenance.)

@kevinbackhouse
Copy link
Collaborator Author

As far as I can see, the tiff type is not checked during parsing, so the assertion is checking a property that isn't enforced anywhere. The assertion doesn't fail on a release build, and nothing bad happens, so I am inclined to replace the assertion with a warning message.

@kevinbackhouse kevinbackhouse mentioned this issue Aug 3, 2021
Merged
@kevinbackhouse kevinbackhouse linked a pull request Aug 3, 2021 that will close this issue
Replace assertion with an error message #1834
Merged
This was referenced Aug 5, 2021
Closed
Closed
@clanmills clanmills mentioned this issue Aug 9, 2021
Open
@kevinbackhouse kevinbackhouse added this to the v0.27.5 milestone Dec 21, 2021
@nehaljwani nehaljwani mentioned this issue Apr 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinbackhouse kevinbackhouse

Labels
None yet
Projects
None yet
Milestone
v0.27.5
Development

Successfully merging a pull request may close this issue.

Replace assertion with an error message kevinbackhouse/exiv2
1 participant
@kevinbackhouse