Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

a div-by-zero in printIFD #262

Closed
xiaoqx opened this issue Apr 4, 2018 · 2 comments
Closed

a div-by-zero in printIFD #262

xiaoqx opened this issue Apr 4, 2018 · 2 comments
Labels
bug
Milestone
v0.27

Comments

@xiaoqx
Copy link

xiaoqx commented Apr 4, 2018
edited by D4N
Loading

A divide by zero occurs in function :BigTiffImage::printIFD,
the debug info as follows:

[----------------------------------registers-----------------------------------]
RAX: 0xffffffffffffffff
RBX: 0x1
RCX: 0x7ffff75aa3d8 --> 0x0
RDX: 0x0
RSI: 0x0
RDI: 0x644a90 --> 0x7ffff7b873d0 --> 0x7ffff7731a14 (<Exiv2::(anonymous namespace)::BigTiffImage::~BigTiffImage()>:     push   rbp)
RBP: 0x7fffffffe220 --> 0x7fffffffe260 --> 0x7fffffffe2c0 --> 0x7fffffffe310 --> 0x7fffffffe3b0 --> 0x0
RSP: 0x7fffffffe070 --> 0x644a90 --> 0x7ffff7b873d0 --> 0x7ffff7731a14 (<Exiv2::(anonymous namespace)::BigTiffImage::~BigTiffImage()>:  push   rbp)
RIP: 0x7ffff7731fc4 (<Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1222>:    div    QWORD PTR [rbp-0xe8])
R8 : 0x1000
R9 : 0x644ba0 --> 0x0
R10: 0x7fffffffde30 --> 0x0
R11: 0x7ffff773347a (<std::numeric_limits<unsigned long>::max()>:       push   rbp)
R12: 0x41c6f8 (<Action::Print::run(std::string const&)>:        push   rbp)
R13: 0x7fffffffe490 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7731fb4 <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1206>:       mov    ebx,DWORD PTR [rbp-0x170]
   0x7ffff7731fba <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1212>:       call   0x7ffff7714560 <_ZNSt14numeric_limitsImE3maxEv@plt>
   0x7ffff7731fbf <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1217>:       mov    edx,0x0
=> 0x7ffff7731fc4 <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1222>:       div    QWORD PTR [rbp-0xe8]
   0x7ffff7731fcb <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1229>:       cmp    rbx,rax
   0x7ffff7731fce <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1232>:       seta   al
   0x7ffff7731fd1 <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1235>:       test   al,al
   0x7ffff7731fd3 <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1237>:       je     0x7ffff7732008 <Exiv2::(anonymous namespace)::BigTiffImage::printIFD(std::ostream&, Exiv2::PrintStructureOption, uint64_t, int)+1290>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe070 --> 0x644a90 --> 0x7ffff7b873d0 --> 0x7ffff7731a14 (<Exiv2::(anonymous namespace)::BigTiffImage::~BigTiffImage()>: push   rbp)
0008| 0x7fffffffe078 --> 0x7ffff7b972b8 --> 0x42cd52 (<std::auto_ptr<Exiv2::Image>::~auto_ptr()>:       push   rbp)
0016| 0x7fffffffe080 --> 0x8
0024| 0x7fffffffe088 --> 0x200000000
0032| 0x7fffffffe090 --> 0x640900 --> 0x7ffff7590f18 --> 0x7ffff733ad20 (<_ZNSoD1Ev>:   mov    rax,QWORD PTR [rip+0x258c71]        # 0x7ffff7593998)
0040| 0x7fffffffe098 --> 0x644a90 --> 0x7ffff7b873d0 --> 0x7ffff7731a14 (<Exiv2::(anonymous namespace)::BigTiffImage::~BigTiffImage()>: push   rbp)
0048| 0x7fffffffe0a0 --> 0x100ffffe0d0
0056| 0x7fffffffe0a8 --> 0x8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x00007ffff7731fc4 in Exiv2::(anonymous namespace)::BigTiffImage::printIFD (this=0x644a90, out=..., option=Exiv2::kpsXMP, dir_offset=0x8, depth=0x0) at bigtiffimage.cpp:254
254                                 if (size > std::numeric_limits<uint64_t>::max() / count)
gdb-peda$ p count
$1 = 0x0

gdb-peda$ bt
#0  0x00007ffff7731fc4 in Exiv2::(anonymous namespace)::BigTiffImage::printIFD (this=0x644a90, out=..., option=Exiv2::kpsXMP, dir_offset=0x8, depth=0x0) at bigtiffimage.cpp:254
#1  0x00007ffff7731af6 in Exiv2::(anonymous namespace)::BigTiffImage::printStructure (this=0x644a90, os=..., option=Exiv2::kpsXMP, depth=0x0) at bigtiffimage.cpp:183
#2  0x000000000041ca2e in Action::Print::printStructure (this=0x644810, out=..., option=Exiv2::kpsXMP) at actions.cpp:283
#3  0x000000000041c7f9 in Action::Print::run (this=0x644810, path="crashes-2018-03-23-22-41/exiv2000:id:000001,sig:08,src:000109,op:arith8,pos:23,val:-27") at actions.cpp:257
#4  0x000000000040e267 in main (argc=0x3, argv=0x7fffffffe498) at exiv2.cpp:166
#5  0x00007ffff6ce9f45 in __libc_start_main (main=0x40dfae <main(int, char* const*)>, argc=0x3, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at libc-start.c:287
#6  0x000000000040dee9 in _start ()

=============
the poc please refer to :
https://github.com/xiaoqx/pocs/blob/master/exiv2/7-printIFD-divbyzero-1
@xiaoqx
Copy link
Author

xiaoqx commented Apr 4, 2018

Please using the command to reproduce the issue:
exiv2 -pX $POC

@piponazo piponazo added the bug label May 27, 2018
@D4N
Copy link
Member

D4N commented Aug 30, 2018

@xiaoqx Thanks for your report!

This issue appears to be already fixed on master. I will add the reproducer to the test suite and close this.

D4N added a commit that referenced this issue Aug 30, 2018
@D4N
Add reproducer for #262 to the test suite
5940c6f 
This fixes #262
D4N added a commit that referenced this issue Sep 1, 2018
@D4N
Add reproducer for #262 to the test suite
88c766f 
This fixes #262
D4N added a commit that referenced this issue Sep 1, 2018
@D4N
Add reproducer for #262 to the test suite
0bd2213 
This fixes #262
piponazo pushed a commit that referenced this issue Sep 10, 2018
@D4N @piponazo
Add reproducer for #262 to the test suite
3495fa5 
This fixes #262
D4N added a commit that referenced this issue Sep 10, 2018
@D4N
Fix division by zero in BigTiffImage::printIFD
446e79c 
This fixes #262
D4N added a commit that referenced this issue Sep 10, 2018
@D4N
Add reproducer for #262 to the test suite
9fb61f0
D4N added a commit that referenced this issue Sep 13, 2018
@D4N
Fix division by zero in BigTiffImage::printIFD
59ed1a2 
This fixes #262
D4N added a commit that referenced this issue Sep 13, 2018
@D4N
Add reproducer for #262 to the test suite
429a942
D4N added a commit that referenced this issue Sep 13, 2018
@D4N
Add reproducer for #262 to the test suite
19bb57f
@D4N D4N closed this as completed in b3199a0 Sep 13, 2018
@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
@clanmills clanmills mentioned this issue Nov 30, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v0.27
Development

No branches or pull requests
4 participants
@piponazo @clanmills @D4N @xiaoqx