out of bound read when extract preview images from Poc file

[cool-tomato]

root@7add4d80d305:/src/exiv2/bin# ./exiv2 -ep 1-out-of-read-Poc
Error: Upper boundary of data for directory Image, entry 0x00fe is out of bounds: Offset = 0x0000002a, size = 64, exceeds buffer size by 22 Bytes; truncating the entry
Warning: Directory Image, entry 0x0201: Strip 0 is outside of the data area; ignored.
Warning: Directory Image, entry 0x0201: Strip 7 is outside of the data area; ignored.
Error: Offset of directory Thumbnail, entry 0x0201 is out of bounds: Offset = 0x00000000; truncating the entry
Segmentation fault (core dumped)

root@7add4d80d305:/src/exiv2/bin# gdb -q exiv2 /tmp/core.15287
core.1528705670.exiv2.2026 core.1528710544.exiv2.2036 core.1528711051.exiv2.2041
root@7add4d80d305:/src/exiv2/bin# gdb -q exiv2 /tmp/core.1528711051.exiv2.2041
Reading symbols from exiv2...done.
[New LWP 2041]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./exiv2 -ep 1-out-of-read-Poc'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:155
155 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
gdb-peda$ bt
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:155
#1 0x00007f6bd0dce220 in Exiv2::MemIo::read (this=0x8e3090, buf=0x7ffd82f48870 "", rcount=0x2) at /src/exiv2/src/basicio.cpp:1293
#2 0x00007f6bd0e32f04 in Exiv2::isJpegType (iIo=..., advance=0x0) at /src/exiv2/src/jpgimage.cpp:1309
#3 0x00007f6bd0e17c42 in Exiv2::ImageFactory::open (io=...) at /src/exiv2/src/image.cpp:913
#4 0x00007f6bd0e179b7 in Exiv2::ImageFactory::open (data=0x7f6cd14a2fff <error: Cannot access memory at address 0x7f6cd14a2fff>, size=0x2) at /src/exiv2/src/image.cpp:902
#5 0x00007f6bd0e3b052 in (anonymous namespace)::LoaderExifJpeg::readDimensions (this=0x8e33b0) at /src/exiv2/src/preview.cpp:598
#6 0x00007f6bd0e3f8b8 in Exiv2::PreviewManager::getPreviewProperties (this=0x7ffd82f48cd0) at /src/exiv2/src/preview.cpp:1144
#7 0x0000000000437f80 in Action::Extract::writePreviews (this=0x8dac00) at /src/exiv2/src/actions.cpp:1146
#8 0x00000000004371b6 in Action::Extract::run (this=0x8dac00, path="1-out-of-read-Poc") at /src/exiv2/src/actions.cpp:1062
#9 0x00000000004217cd in main (argc=0x3, argv=0x7ffd82f49088) at /src/exiv2/src/exiv2.cpp:166
#10 0x00007f6bd02e1830 in __libc_start_main (main=0x421506 <main(int, char* const*)>, argc=0x3, argv=0x7ffd82f49088, init=, fini=, rtld_fini=,
stack_end=0x7ffd82f49078) at ../csu/libc-start.c:291
#11 0x0000000000421439 in _start ()

Poc: https://github.com/TeamSeri0us/pocs/blob/master/exiv2/1-out-of-read-Poc

[D4N]

Thanks for the report. I'll take care of this.

[carnil]

This issue was assigned CVE-2018-12265