Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

out of bound read when extract preview images from Poc file #365

Closed
cool-tomato opened this issue Jun 11, 2018 · 2 comments
Closed

out of bound read when extract preview images from Poc file #365

cool-tomato opened this issue Jun 11, 2018 · 2 comments
Assignees
@D4N
Milestone
v0.27

Comments

@cool-tomato
Copy link

cool-tomato commented Jun 11, 2018
edited
Loading

root@7add4d80d305:/src/exiv2/bin# ./exiv2 -ep 1-out-of-read-Poc
Error: Upper boundary of data for directory Image, entry 0x00fe is out of bounds: Offset = 0x0000002a, size = 64, exceeds buffer size by 22 Bytes; truncating the entry
Warning: Directory Image, entry 0x0201: Strip 0 is outside of the data area; ignored.
Warning: Directory Image, entry 0x0201: Strip 7 is outside of the data area; ignored.
Error: Offset of directory Thumbnail, entry 0x0201 is out of bounds: Offset = 0x00000000; truncating the entry
Segmentation fault (core dumped)

root@7add4d80d305:/src/exiv2/bin# gdb -q exiv2 /tmp/core.15287
core.1528705670.exiv2.2026 core.1528710544.exiv2.2036 core.1528711051.exiv2.2041
root@7add4d80d305:/src/exiv2/bin# gdb -q exiv2 /tmp/core.1528711051.exiv2.2041
Reading symbols from exiv2...done.
[New LWP 2041]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./exiv2 -ep 1-out-of-read-Poc'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:155
155 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
gdb-peda$ bt
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:155
#1 0x00007f6bd0dce220 in Exiv2::MemIo::read (this=0x8e3090, buf=0x7ffd82f48870 "", rcount=0x2) at /src/exiv2/src/basicio.cpp:1293
#2 0x00007f6bd0e32f04 in Exiv2::isJpegType (iIo=..., advance=0x0) at /src/exiv2/src/jpgimage.cpp:1309
#3 0x00007f6bd0e17c42 in Exiv2::ImageFactory::open (io=...) at /src/exiv2/src/image.cpp:913
#4 0x00007f6bd0e179b7 in Exiv2::ImageFactory::open (data=0x7f6cd14a2fff <error: Cannot access memory at address 0x7f6cd14a2fff>, size=0x2) at /src/exiv2/src/image.cpp:902
#5 0x00007f6bd0e3b052 in (anonymous namespace)::LoaderExifJpeg::readDimensions (this=0x8e33b0) at /src/exiv2/src/preview.cpp:598
#6 0x00007f6bd0e3f8b8 in Exiv2::PreviewManager::getPreviewProperties (this=0x7ffd82f48cd0) at /src/exiv2/src/preview.cpp:1144
#7 0x0000000000437f80 in Action::Extract::writePreviews (this=0x8dac00) at /src/exiv2/src/actions.cpp:1146
#8 0x00000000004371b6 in Action::Extract::run (this=0x8dac00, path="1-out-of-read-Poc") at /src/exiv2/src/actions.cpp:1062
#9 0x00000000004217cd in main (argc=0x3, argv=0x7ffd82f49088) at /src/exiv2/src/exiv2.cpp:166
#10 0x00007f6bd02e1830 in __libc_start_main (main=0x421506 <main(int, char* const*)>, argc=0x3, argv=0x7ffd82f49088, init=, fini=, rtld_fini=,
stack_end=0x7ffd82f49078) at ../csu/libc-start.c:291
#11 0x0000000000421439 in _start ()

Poc: https://github.com/TeamSeri0us/pocs/blob/master/exiv2/1-out-of-read-Poc
@D4N D4N self-assigned this Jun 11, 2018
@D4N
Copy link
Member

D4N commented Jun 11, 2018

Thanks for the report. I'll take care of this.

D4N added a commit to D4N/exiv2 that referenced this issue Jun 11, 2018
@D4N
Add offset_ and size_ safely in LoaderExifJpeg::LoaderExifJpeg
97b3c1b 
offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes Exiv2#365.
D4N added a commit to D4N/exiv2 that referenced this issue Jun 11, 2018
@D4N
Add reproducer for Exiv2#365 to the testsuite
e1091d8
D4N added a commit to D4N/exiv2 that referenced this issue Jun 11, 2018
@D4N
Add reproducer for Exiv2#365 to the testsuite
117cbc1
D4N added a commit to D4N/exiv2 that referenced this issue Jun 11, 2018
@D4N
Add reproducer for Exiv2#365 to the testsuite
9b08354
@D4N D4N closed this as completed in 937a1a2 Jun 11, 2018
D4N added a commit that referenced this issue Jun 11, 2018
@D4N
Merge pull request #368 from D4N/fix_issue_365
341de45 
Fix #365 and #366
@carnil
Copy link

carnil commented Jun 17, 2018

This issue was assigned CVE-2018-12265

D4N added a commit to D4N/exiv2 that referenced this issue Jul 28, 2018
@D4N
[tests] Change name of test for Exiv2#365
188164d 
Issue Exiv2#365 got a CVE assigned
D4N added a commit to D4N/exiv2 that referenced this issue Jul 28, 2018
@D4N
[tests] Change name of test for Exiv2#365 and Exiv2#366
22c8487 
Issues got a CVE assigned
D4N added a commit to D4N/exiv2 that referenced this issue Jul 29, 2018
@D4N
[tests] Change name of test for Exiv2#365 and Exiv2#366
317a5b9 
Issues got a CVE assigned
D4N added a commit that referenced this issue Jul 29, 2018
@D4N
[tests] Change name of test for #365 and #366
e67910a 
Issues got a CVE assigned
vcunat pushed a commit to vcunat/exiv2 that referenced this issue Aug 4, 2018
@D4N @vcunat
Add offset_ and size_ safely in LoaderExifJpeg::LoaderExifJpeg
7798897 
offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes Exiv2#365.

(cherry picked from commit 937a1a2)
vcunat pushed a commit to vcunat/exiv2 that referenced this issue Aug 4, 2018
@D4N @vcunat
Add offset_ and size_ safely in LoaderExifJpeg::LoaderExifJpeg
9ed1671 
offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes Exiv2#365.

(cherry picked from commit 937a1a2)
@vcunat vcunat mentioned this issue Aug 4, 2018
Merged
vcunat pushed a commit to vcunat/exiv2 that referenced this issue Aug 5, 2018
@D4N @vcunat
Add reproducer for Exiv2#365 to the testsuite
d64dcf4 
(cherry picked from commit 9b08354)
vcunat pushed a commit to vcunat/exiv2 that referenced this issue Aug 5, 2018
@D4N @vcunat
[tests] Change name of test for Exiv2#365 and Exiv2#366
10f6128 
Issues got a CVE assigned

(cherry picked from commit e67910a)
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Oct 16, 2018
@D4N @dirkmueller
Add offset_ and size_ safely in LoaderExifJpeg::LoaderExifJpeg
a6f1b7a 
offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes Exiv2#365.

(cherry picked from commit 937a1a2)
@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Feb 9, 2019
@D4N @dirkmueller
Add offset_ and size_ safely in LoaderExifJpeg::LoaderExifJpeg
f33e7b7 
offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes Exiv2#365.

(cherry picked from commit 937a1a2)
piponazo added a commit that referenced this issue Feb 10, 2019
@piponazo
Merge pull request #492 from dirkmueller/0.25
59641ca 
[0.25] backport #365 and #366
mbakke pushed a commit to guix-mirror/guix that referenced this issue Aug 1, 2022
@mrvdb @civodul
gnu: exiv2: Fix test failure on ppc64le and aarch64.
b8df15b 
ppc64 and aarch64 do not raise exception and thus output and exit code
for test is different.

See:

  Exiv2/exiv2#365 and
  Exiv2/exiv2#933

* gnu/packages/image.scm (exiv2)[arguments]: Add 'adjust-tests' phase.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@D4N D4N

Labels
None yet
Projects
None yet
Milestone
v0.27
Development

No branches or pull requests
4 participants
@clanmills @carnil @D4N @cool-tomato