Bug 1470913 - There is an infinite loop in Exiv2::Image::printIFDStructure funtion of image.cpp in exiv2. A crafted input will lead to remote denial of service attack.
Summary: There is an infinite loop in Exiv2::Image::printIFDStructure funtion of imag...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
Depends On:
Blocks: CVE-2017-11338
TreeView+ depends on / blocked
Reported: 2017-07-14 01:52 UTC by owl337
Modified: 2019-08-06 12:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-06 12:46:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Triggered by "./exiv2 $POC" (102 bytes, application/x-rar)
2017-07-14 01:52 UTC, owl337
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 0 None None None 2019-08-06 12:47:09 UTC

Description owl337 2017-07-14 01:52:13 UTC
Created attachment 1298062 [details]
Triggered by  "./exiv2 $POC"

Description of problem:

There is an infinite loop in  Exiv2::Image::printIFDStructure funtion of image.cpp in  exiv2. A crafted input will lead to remote denial of service attack.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 POC4

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC4

GDB debugging information is as follows:
(gdb) set args POC4
(gdb) r
(gdb) bt
#0  Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=Exiv2::kpsRecursive, start=0, 
    bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:492
#1  0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x611000009dc0, io=..., out=..., 
    option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518
#2  0x00007ffff724924c in Exiv2::Rw2Image::printStructure (this=<optimized out>, out=..., option=<optimized out>, 
    depth=<optimized out>) at rw2image.cpp:115
#3  0x00007ffff724a1dc in Exiv2::Rw2Image::readMetadata (this=<optimized out>) at rw2image.cpp:134
#4  0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289
#5  0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244
#6  0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170

This vulnerability was triggered in Exiv2::Image::printIFDStructure () at image.cpp:492,which will result in a infinite loop.

 348         do {
 349             // Read top of directory
 350             io.seek(start,BasicIo::beg);
 351             io.read(dir.pData_, 2);
 352             uint16_t   dirLength = byteSwap2(dir,0,bSwap);
 354             bool tooBig = dirLength > 500;
 355             if ( tooBig ) throw Error(55);
 357             if ( bFirst && bPrint ) {
 359                 if ( tooBig ) out << Internal::indent(depth) << "dirLength = " << dirLength << std::endl;
 360             }
 491             if ( start ) {
 492                 io.read(dir.pData_, 4);
 493                 start = tooBig ? 0 : byteSwap4(dir,0,bSwap);
 494             }
 495         } while (start) ;

Actual results:

denial of service

Expected results:

denial of service

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Adam Mariš 2017-07-24 12:41:59 UTC
Please, report this issue to upstream. Thanks!

Comment 3 Raphaël Hertzog 2017-08-31 14:20:59 UTC
I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/51

Comment 4 Dan Čermák 2017-10-19 21:01:48 UTC
This has been fixed upstream (on master, backported to 0.26, backporting to 0.25 is in progress).

Comment 6 Jan Grulich 2019-01-28 16:08:17 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 10 errata-xmlrpc 2019-08-06 12:46:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.