An over-read in src/pngimage.cpp#L161

[legend-issue]

$rax   : 0x0000000000000000
$rbx   : 0x0000000000ec2d30  →  0x2e6d6f633a4c4d58 ("XML:com."?)
$rcx   : 0x0000000000000000
$rdx   : 0x00007ffff6647a2c  →  0x0000008100000080
$rsp   : 0x00007fffffffdac0  →  0x0000000000ec0db0  →  0x00007ffffbad2488
$rbp   : 0x0000000000edf001
$rsi   : 0x0000000000000000
$rdi   : 0x0000000000000046
$rip   : 0x0000000000800096  →  <Exiv2::PngImage::printStructure(std::ostream&,+0> cmp BYTE PTR [rbp-0x1], 0xa
$r8    : 0x000000000000ffff
$r9    : 0x0000000000000000
$r10   : 0x000000000000021b
$r11   : 0x00007ffff6933e60  →  <tolower+0> lea edx, [rdi+0x80]
$r12   : 0x00007fffffffdc80  →  0x000000000000001e
$r13   : 0x0000000000ec0aa0  →  0x0000000000c09ab0  →  0x0000000000805d00  →  <Exiv2::PngImage::~PngImage()+0> lea rsp, [rsp-0x98]
$r14   : 0x00000000ffffffff
$r15   : 0x0000000000ec0c60  →  0x7458457411040000
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033  $gs: 0x0000  $es: 0x0000  $ss: 0x002b  $fs: 0x0000  $ds: 0x0000  
───────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdac0│+0x00: 0x0000000000ec0db0  →  0x00007ffffbad2488	 ← $rsp
0x00007fffffffdac8│+0x08: 0x00000411f697e571
0x00007fffffffdad0│+0x10: 0x0000000000000412
0x00007fffffffdad8│+0x18: 0x00007fffffffdca0  →  0x000000000000001e
0x00007fffffffdae0│+0x20: 0x0000000000000001
0x00007fffffffdae8│+0x28: 0x0000000000000002
0x00007fffffffdaf0│+0x30: 0x00000001ffffffff
0x00007fffffffdaf8│+0x38: 0x00000000000007e5
────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
     0x800086 <Exiv2::PngImage::printStructure(std::ostream&,+0> nop    WORD PTR cs:[rax+rax*1+0x0]
     0x800090 <Exiv2::PngImage::printStructure(std::ostream&,+0> add    rbp, 0x1
     0x800094 <Exiv2::PngImage::printStructure(std::ostream&,+0> xor    esi, esi
 →   0x800096 <Exiv2::PngImage::printStructure(std::ostream&,+0> cmp    BYTE PTR [rbp-0x1], 0xa
     0x80009a <Exiv2::PngImage::printStructure(std::ostream&,+0> sete   sil
     0x80009e <Exiv2::PngImage::printStructure(std::ostream&,+0> add    rax, rsi
     0x8000a1 <Exiv2::PngImage::printStructure(std::ostream&,+0> cmp    rax, 0x2
     0x8000a5 <Exiv2::PngImage::printStructure(std::ostream&,+0> jle    0x800090 <Exiv2::PngImage::printStructure(std::ostream&,  Exiv2::PrintStructureOption,  int)+14640>
     0x8000a7 <Exiv2::PngImage::printStructure(std::ostream&,+0> nop    
─────────────────────────────────────────────────[ source:pngimage.cpp+161 ]────
    156	         // calculate length and allocate result;
    157	         long        count=0;
    158	         const byte* p = bytes ;
    159	         // header is \nsomething\n number\n hex
    160	         while ( count < 3 )
 →  161	             if ( *p++ == '\n' )
    162	                 count++;
    163	         for ( long i = 0 ; i < length ; i++ )
    164	             if ( value[p[i]] )
    165	                 ++count;
    166	         result.alloc((count+1)/2) ;
─────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "exiv2", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x800096 → Name: Exiv2::tEXtToDataBuf(result=@0x7fffffffdb40, length=0xffffffff, bytes=0xec3142 "")
[#1] 0x800096 → Name: Exiv2::PngImage::printStructure(this=0xec0aa0, out=@0xe90640, option=Exiv2::kpsXMP, depth=0x0)
[#2] 0x46bdc5 → Name: Action::Print::printStructure(this=0xec1cc0, out=@0xe90640, option=Exiv2::kpsXMP)
[#3] 0x486cfd → Name: Action::Print::run(this=0xec1cc0, path="id:000118,orig:c-m1-8f2b481b7fd9bd745e620b7c01a18df2.png")
[#4] 0x40772d → Name: main(argc=0x3, argv=0x7fffffffdf18)
[#5] 0x7ffff6926830 → Name: __libc_start_main(main=0x4073d0 <main(int, char* const*)>, argc=0x3, argv=0x7fffffffdf18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf08)
[#6] 0x4277c9 → Name: _start()

command : exiv2 -pX [poc]
https://github.com/legend-issue/pocs/blob/master/exiv2/id:000118%2Corig:c-m1-8f2b481b7fd9bd745e620b7c01a18df2.png

[D4N]

@legend-issue Any particular reason for closing this? Was this not an issue or an accidental double-submission?

[legend-issue]

Because I think it's same with CVE-2018-10772. @D4N