Bug 1594642 (CVE-2018-12648)

Summary: CVE-2018-12648 exempi: NULL pointer dereference in WEBP_Support.hpp:WEBP::GetLE32() allows for denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dakingun, jchaloup, nforro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Exempi is vulnerable to an issue that may manifest as a NULL pointer dereference or an out-of-bounds access due to not checking if vector is of required size before accessing its elements. An attacker could use this to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:05:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1594643, 1594644    
Bug Blocks: 1594646    

Description Sam Fowler 2018-06-25 05:27:30 UTC 
Exempi through version 2.4.5 is vulnerable to a NULL pointer dereference in the WEBP_Support.hpp:WEBP::GetLE32() function. An attacker could exploit this to cause a denial of service via a crafted file.


Upstream Bug:

https://bugs.freedesktop.org/show_bug.cgi?id=106981
Comment 1 Sam Fowler 2018-06-25 05:27:56 UTC 
Created exempi tracking bugs for this issue:

Affects: fedora-all [bug 1594643]
Comment 3 Adam Mariš 2018-07-12 14:58:40 UTC 
Statement:

This issue did not affect the versions of exempi as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include support for WEBP format in the code of which the vulnerability exists.
Comment 4 Adam Mariš 2018-07-13 12:25:12 UTC 
Vulnerable code:

WEBP_Support.cpp:

void VP8XChunk::xmp(bool hasXMP)
{
    XMP_Uns32 flags = GetLE32(&this->data[0]);
    flags ^= (-hasXMP ^ flags) & (1 << XMP_FLAG_BIT);
    PutLE32(&this->data[0], flags);
}

WEBP_Support.hpp (not accurately ordered):

static inline XMP_Uns32 GetLE16(const XMP_Uns8* const data)
{
    return (XMP_Uns32)(data[0] << 0) | (data[1] << 8);
}

static inline XMP_Uns32 GetLE32(const XMP_Uns8* const data)
{
    return (XMP_Uns32)GetLE16(data) | (GetLE16(data + 2) << 16);
}

static inline void PutLE16(XMP_Uns8* const data, XMP_Uns32 val)
{
    assert(val < (1 << 16));
    data[0] = (val >> 0);
    data[1] = (val >> 8);
}

static inline void PutLE32(XMP_Uns8* const data, XMP_Uns32 val)
{
    PutLE16(data, (XMP_Uns32)(val & 0xffff));
    PutLE16(data + 2, (XMP_Uns32)(val >> 16));
}

The code should check if this->data is a vector of required size before accessing it. In the reproducer attached to upstream bug, this->data is an empty vector, which causes NULL pointer dereference (though it may also cause an out of bounds access - error may be different based on what code is generated by the compiler).
Comment 5 Product Security DevOps Team 2019-07-12 13:05:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-12648