Bug 1494467

Summary: Invalid memory address dereference in Exiv2::getULong(types.cpp:246)
Product: Red Hat Enterprise Linux 7 Reporter: Liu Zhu <fantasy7082>
Component: exiv2Assignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: carnil, dan.cermak
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:46:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
PoC File none

Description Liu Zhu 2017-09-22 10:19:01 UTC 
Created attachment 1329503 [details]
PoC File

./exiv2 02-Invalid-mem-def 
ASAN:SIGSEGV
=================================================================
==27020==ERROR: AddressSanitizer: SEGV on unknown address 0x62a100000405 (pc 0x7f827e6cc4af bp 0x7ffdbe4d55b0 sp 0x7ffdbe4d55a0 T0)
    #0 0x7f827e6cc4ae in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /root/fuzzing/exiv2-trunk/src/types.cpp:246
    #1 0x7f827e6cc6cb in Exiv2::getURational(unsigned char const*, Exiv2::ByteOrder) /root/fuzzing/exiv2-trunk/src/types.cpp:257
    #2 0x7f827e57323c in std::pair<unsigned int, unsigned int> Exiv2::getValue<std::pair<unsigned int, unsigned int> >(unsigned char const*, Exiv2::ByteOrder) (/usr/local/exiv2_ASAN/lib/libexiv2.so.26+0x31523c)
    #3 0x7f827e580b4e in Exiv2::ValueType<std::pair<unsigned int, unsigned int> >::read(unsigned char const*, long, Exiv2::ByteOrder) /root/fuzzing/exiv2-trunk/include/exiv2/value.hpp:1586
    #4 0x7f827e6c2d08 in Exiv2::Internal::TiffReader::readTiffEntry(Exiv2::Internal::TiffEntryBase*) /root/fuzzing/exiv2-trunk/src/tiffvisitor.cpp:1541
    #5 0x7f827e6bf4be in Exiv2::Internal::TiffReader::visitEntry(Exiv2::Internal::TiffEntry*) /root/fuzzing/exiv2-trunk/src/tiffvisitor.cpp:1204
    #6 0x7f827e68d97c in Exiv2::Internal::TiffEntry::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:896
    #7 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
    #8 0x7f827e68dcc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
    #9 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
    #10 0x7f827e68e351 in Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:949
    #11 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
    #12 0x7f827e68e1bf in Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:938
    #13 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
    #14 0x7f827e68dcc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
    #15 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
    #16 0x7f827e68e07e in Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:931
    #17 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
    #18 0x7f827e68dcc2 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:919
    #19 0x7f827e68d909 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /root/fuzzing/exiv2-trunk/src/tiffcomposite.cpp:891
    #20 0x7f827e6a6451 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:2011
    #21 0x7f827e6a5267 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:1900
    #22 0x7f827e6a3a82 in Exiv2::TiffParser::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:266
    #23 0x7f827e5a043e in Exiv2::ExifParser::decode(Exiv2::ExifData&, unsigned char const*, unsigned int) /root/fuzzing/exiv2-trunk/src/exif.cpp:629
    #24 0x7f827e5e0030 in Exiv2::JpegBase::readMetadata() /root/fuzzing/exiv2-trunk/src/jpgimage.cpp:386
    #25 0x43ab02 in Action::Print::printSummary() /root/fuzzing/exiv2-trunk/src/actions.cpp:289
    #26 0x43a1af in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/fuzzing/exiv2-trunk/src/actions.cpp:244
    #27 0x422129 in main /root/fuzzing/exiv2-trunk/src/exiv2.cpp:170
    #28 0x7f827d91c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #29 0x421af8 in _start (/usr/local/exiv2_ASAN/bin/exiv2+0x421af8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzzing/exiv2-trunk/src/types.cpp:246 Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
==27020==ABORTING
Comment 2 Liu Zhu 2017-09-23 05:14:58 UTC 
./exiv2 -V
exiv2 0.26 001a00 (64 bit build)
Copyright (C) 2004-2017 Andreas Huggel.
Comment 3 Salvatore Bonaccorso 2017-09-28 11:57:23 UTC 
This was assigned CVE-2017-14864.

Can you please report the issue upstream?
Comment 4 Agostino Sarubbo 2017-09-29 14:44:23 UTC 
Is there a reason why you are fuzzing the trunk/version of exiv2 and you are reporting it to redhat instead of the upstream project?
Comment 5 Dan Čermák 2017-10-19 21:33:20 UTC 
The upstream issue is https://github.com/Exiv2/exiv2/issues/73. It has been already fixed in the master branch and backported to 0.26.
Comment 7 Jan Grulich 2019-01-28 16:08:19 UTC 
Fixed with exiv2-0.27.0-1.el7_6.
Comment 11 errata-xmlrpc 2019-08-06 12:46:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101