Bug 1566260

Summary: There is a Segmentation fault in the software exiv2 when the function Exiv2::tEXtToDataBuf() is finished
Product: Red Hat Enterprise Linux 7 Reporter: c1208828 <daniel810736>
Component: exiv2Assignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: daniel810736, sfowler
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:47:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by ./exiv2 -pR POC none

Description c1208828 2018-04-11 22:00:38 UTC 
Created attachment 1420521 [details]
Triggered by ./exiv2 -pR POC

Description of problem:


Version-Release number of selected component (if applicable):

0.26

How reproducible:

./exiv2 -pR POC

Steps to Reproduce:

The output information is as follows:
$ ./exiv2 -pR POC
STRUCTURE OF PNG FILE: POC
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ... ... ....                   | 0x44a48ac6
      33 | QEXt  |      25 | Software.Adobe ImageReady      | 0x71c9653c
      70 | PL    |      15 | ..... ... ....                 | 0x44a48ac6
      97 | tEXt  |      25 | Software.Adobe IpHYsReady      | 0x71c9653c
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args -pR POC
(gdb) r
STRUCTURE OF PNG FILE: POC
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ... ... ....                   | 0x44a48ac6
      33 | QEXt  |      25 | Software.Adobe ImageReady      | 0x71c9653c
      70 | PL    |      15 | ..... ... ....                 | 0x44a48ac6
      97 | tEXt  |      25 | Software.Adobe IpHYsReady      | 0x71c9653c

Program received signal SIGSEGV, Segmentation fault.
0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a "    ")
    at pngimage.cpp:164

164	                if ( value[p[i]] )
(gdb) bt
#0  0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a "    ")
    at pngimage.cpp:164
#1  Exiv2::PngImage::printStructure (this=0xec0aa0, out=..., option=Exiv2::kpsRecursive, depth=0)
    at pngimage.cpp:306
#2  0x000000000046bdc5 in Action::Print::printStructure (this=this@entry=0xec1bd0, out=..., 
    option=option@entry=Exiv2::kpsRecursive) at actions.cpp:283
#3  0x0000000000486d52 in Action::Print::run (this=0xec1bd0, path="POC") at actions.cpp:247
#4  0x000000000040772d in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:166

(gdb) list
159	        // header is \nsomething\n number\n hex
160	        while ( count < 3 )
161	            if ( *p++ == '\n' )
162	                count++;
163	        for ( long i = 0 ; i < length ; i++ ){
164	                if ( value[p[i]] )
165	                    ++count;
166	        }
167	        result.alloc((count+1)/2) ;
168	

(gdb) info all-registers 
rax            0x69	105
rbx            0xec13f0	15471600
rcx            0x1d3c7	119751
rdx            0x0	0
rsi            0x0	0
rdi            0x69	105
rbp            0xec1c36	0xec1c36
rsp            0x7fffffffe070	0x7fffffffe070
r8             0x69	105
r9             0x0	0
r10            0xffffffffffffffff	-1
r11            0x0	0
r12            0x7fffffffe230	140737488347696
r13            0xec0aa0	15469216
r14            0xffffffff	4294967295
r15            0xec0c60	15469664
rip            0x8031f9	0x8031f9 <Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int)+16057>
eflags         0x10297	[ CF PF AF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0
mxcsr          0x1f80	[ IM DM ZM OM UM PM ]


Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file.
Comment 2 Sam Fowler 2018-05-22 05:42:09 UTC 
Please report this upstream if you have not already:

http://dev.exiv2.org/projects/exiv2/issues
Comment 3 c1208828 2018-06-11 17:04:53 UTC 
This issue is closed.
Comment 6 Jan Grulich 2019-01-28 16:08:14 UTC 
Fixed with exiv2-0.27.0-1.el7_6.
Comment 10 errata-xmlrpc 2019-08-06 12:47:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101