Another outbound read in Exiv2::Internal::stringFormat

[xiaoqx]

This issue is another out bound read in Exiv2::Internal::stringFormat, it could result to segment fault at least.
the debug info as follows:
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffd520 --> 0x7ffffbad8001
RCX: 0xffffffffffffffff
RDX: 0x28 ('(')
RSI: 0x7fffffe8
RDI: 0x1000000000000
RBP: 0x7fffffffd510 --> 0x644b70 (" 50 | 0xfffffff")
RSP: 0x7fffffffcf30 --> 0x0
RIP: 0x7ffff6d0e943 (<_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi])
R8 : 0x7fffffff
R9 : 0x7ffff7fe3780 (0x00007ffff7fe3780)
R10: 0x7ffff7083fe0 --> 0x0
R11: 0x0
R12: 0x7ffff6d10f69 (<_IO_vfprintf_internal+17193>: cmp BYTE PTR [rbp-0x508],0x0)
R13: 0x1000000000000
R14: 0x7ffff78a3e99 ("%8ld | 0xff%02x %-5s")
R15: 0x7fffffffd6c0 --> 0x3000000028 ('(')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6d0e93a <_IO_vfprintf_internal+7418>: xor eax,eax
0x7ffff6d0e93c <_IO_vfprintf_internal+7420>: or rcx,0xffffffffffffffff
0x7ffff6d0e940 <_IO_vfprintf_internal+7424>: mov rdi,r13
=> 0x7ffff6d0e943 <_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi]
0x7ffff6d0e945 <_IO_vfprintf_internal+7429>: mov DWORD PTR [rbp-0x508],0x0
0x7ffff6d0e94f <_IO_vfprintf_internal+7439>: mov rsi,rcx
0x7ffff6d0e952 <_IO_vfprintf_internal+7442>: not rsi
0x7ffff6d0e955 <_IO_vfprintf_internal+7445>: lea r10,[rsi-0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcf30 --> 0x0
0008| 0x7fffffffcf38 --> 0x0
0016| 0x7fffffffcf40 --> 0x0
0024| 0x7fffffffcf48 --> 0x0
0032| 0x7fffffffcf50 --> 0x0
0040| 0x7fffffffcf58 --> 0x0
0048| 0x7fffffffcf60 --> 0x7fffffffd090 --> 0xffffffffffffffff
0056| 0x7fffffffcf68 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6d0e943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd520, format=, format@entry=0x7ffff78a3e99 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6c0) at vfprintf.c:1661
1661 vfprintf.c: No such file or directory.
gdb-peda$ bt
#0 0x00007ffff6d0e943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd520, format=, format@entry=0x7ffff78a3e99 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6c0) at vfprintf.c:1661
#1 0x00007ffff6d35499 in _IO_vsnprintf (string=0x644b70 " 50 | 0xfffffff", maxlen=, format=0x7ffff78a3e99 "%8ld | 0xff%02x %-5s", args=0x7fffffffd6c0) at vsnprintf.c:119
#2 0x00007ffff7784e1d in Exiv2::Internal::stringFormat (format=0x7ffff78a3e99 "%8ld | 0xff%02x %-5s") at image.cpp:1013
#3 0x00007ffff7799089 in Exiv2::JpegBase::printStructure (this=0x644a80, out=..., option=Exiv2::kpsRecursive, depth=0x0) at jpgimage.cpp:787
#4 0x000000000041ca7e in Action::Print::printStructure (this=0x644800, out=..., option=Exiv2::kpsRecursive) at actions.cpp:283
#5 0x000000000041c816 in Action::Print::run (this=0x644800, path="./crashes-2018-03-23-19-59/exiv2000id000000,sig:11,src:000000,op:flip1,pos:2") at actions.cpp:247
#6 0x000000000040e2b7 in main (argc=0x3, argv=0x7fffffffe498) at exiv2.cpp:166
#7 0x00007ffff6ce4f45 in __libc_start_main (main=0x40dffe <main(int, char* const*)>, argc=0x3, argv=0x7fffffffe498, init=, fini=, rtld_fini=, stack_end=0x7fffffffe488) at libc-start.c:287
#8 0x000000000040df39 in _start ()

a$ bt
#0 0x00007ffff6d0e943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd520, format=, format@entry=0x7ffff78a3e99 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6c0) at vfprintf.c:1661
#1 0x00007ffff6d35499 in _IO_vsnprintf (string=0x644b70 " 50 | 0xfffffff", maxlen=, format=0x7ffff78a3e99 "%8ld | 0xff%02x %-5s", args=0x7fffffffd6c0) at vsnprintf.c:119
#2 0x00007ffff7784e1d in Exiv2::Internal::stringFormat (format=0x7ffff78a3e99 "%8ld | 0xff%02x %-5s") at image.cpp:1013
#3 0x00007ffff7799089 in Exiv2::JpegBase::printStructure (this=0x644a80, out=..., option=Exiv2::kpsRecursive, depth=0x0) at jpgimage.cpp:787
#4 0x000000000041ca7e in Action::Print::printStructure (this=0x644800, out=..., option=Exiv2::kpsRecursive) at actions.cpp:283
#5 0x000000000041c816 in Action::Print::run (this=0x644800, path="./crashes-2018-03-23-19-59/exiv2000id000000,sig:11,src:000000,op:flip1,pos:2") at actions.cpp:247
#6 0x000000000040e2b7 in main (argc=0x3, argv=0x7fffffffe498) at exiv2.cpp:166
#7 0x00007ffff6ce4f45 in __libc_start_main (main=0x40dffe <main(int, char* const*)>, argc=0x3, argv=0x7fffffffe498, init=, fini=, rtld_fini=, stack_end=0x7fffffffe488) at libc-start.c:287
#8 0x000000000040df39 in _start ()

the poc please refer to :
https://github.com/xiaoqx/pocs/blob/master/exiv2/3-stringformat-outofbound-read

[xiaoqx]

It was triggered by "exiv2 -pR $POC"

[clanmills]

Thanks for reporting this. There is outstanding work to be performed on Exiv2::Internal::stringFormat() We'll be careful to be ensure that we deal with this and #246 at the same time.

[piponazo]

I have been analysing the issue and I adding a new in

    void JpegBase::printStructure(std::ostream& out, PrintStructureOption option,int depth)

Prevent the crash. I will create a PR to discuss about the problem and the solution.