Bug 1473888
| Summary: | There is a Floating point exception in Exiv2::ValueType of exiv2. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | henri, raphael | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-06 12:46:47 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1475729 | ||||||
| Attachments: |
|
||||||
Please use CVE-2017-11591 for this issue. I reported this to the upstream developers: https://github.com/Exiv2/exiv2/issues/55 This has been fixed in upstream. Fixed with exiv2-0.27.0-1.el7_6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101 |
Created attachment 1302633 [details] Triggered by "./exiv2 POC8" Description of problem: There is a Floating point exception in Exiv2::ValueType of exiv2. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 POC8 Steps to Reproduce: The output information is as follows: $./exiv2 POC8 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Error: Directory Image, entry 0x0000 has invalid size 4286578688*8; skipping entry. Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored. Program received signal SIGFPE, Arithmetic exception. 0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const () (gdb) bt #0 0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const () #1 0x000000000069e74b in Exiv2::Internal::TiffImageEntry::setStrips(Exiv2::Value const*, unsigned char const*, unsigned int, unsigned int) () #2 0x00000000006d87f2 in Exiv2::Internal::TiffReader::readDataEntryBase(Exiv2::Internal::TiffDataEntryBase*) () #3 0x00000000006a7226 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) () #4 0x00000000006a6f45 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) () #5 0x00000000006c0618 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) () #6 0x00000000006bbd00 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) () #7 0x00000000006b901f in Exiv2::TiffImage::readMetadata() () #8 0x0000000000464434 in Action::Print::printSummary() () #9 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () #10 0x0000000000439762 in main () Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.