Hide Forgot
Created attachment 1298135 [details] Triggered by "./exiv2 $POC" Description of problem: There is a Segmentation fault in the software exiv2 while the function Exiv2::XmpParser::terminate() is finished. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 $POC Steps to Reproduce: The output information is as follows: $./exiv2 POC6 ORF IMAGE Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry. Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry File name : id:000023,sig:06,src:001147+000847,op:splice,rep:2 File size : 60 Bytes MIME type : image/x-olympus-orf Image size : 0 x 0 Camera make : Camera model : Image timestamp : Image number : Exposure time : Aperture : Exposure bias : Flash : Flash bias : Focal length : Subject distance: ISO speed : Exposure mode : Metering mode : Macro mode : Image quality : Exif Resolution : White balance : Thumbnail : None Copyright : Exif comment : Segmentation fault GDB debugging information is as follows: (gdb) set args POC6 (gdb) r ... Continuing. ORF IMAGE Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry. Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry File name : id:000023,sig:06,src:001147+000847,op:splice,rep:2 File size : 60 Bytes MIME type : image/x-olympus-orf Image size : 0 x 0 Camera make : Camera model : Image timestamp : Image number : Exposure time : Aperture : Exposure bias : Flash : Flash bias : Focal length : Subject distance: ISO speed : Exposure mode : Metering mode : Macro mode : Image quality : Exif Resolution : White balance : Thumbnail : None Copyright : Exif comment : Breakpoint 3, main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:176 176 Exiv2::XmpParser::terminate(); (gdb) n 155 Action::Task::AutoPtr task (gdb) n 180 } // main (gdb) Breakpoint 2, __libc_start_main (main=0x4e24c0 <main(int, char* const*)>, argc=2, argv=0x7fffffffe598, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe588) at libc-start.c:323 323 libc-start.c: No such file or directory. (gdb) s __GI_exit (status=0) at exit.c:104 104 exit.c: No such file or directory. (gdb) n 103 in exit.c (gdb) 104 in exit.c (gdb) Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) This vulnerability was triggered after the function __GI_exit (status=0) exit.c:104 after function main() exit. Actual results: Expected results: Additional info:
Please, report this issue to upstream. Thanks!
I forwarded this to the upstream developers: https://github.com/Exiv2/exiv2/issues/53
Fixed with exiv2-0.27.0-1.el7_6.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101