Created attachment 1302633 [details] Triggered by "./exiv2 POC8" Description of problem: There is a Floating point exception in Exiv2::ValueType of exiv2. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 POC8 Steps to Reproduce: The output information is as follows: $./exiv2 POC8 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Error: Directory Image, entry 0x0000 has invalid size 4286578688*8; skipping entry. Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored. Program received signal SIGFPE, Arithmetic exception. 0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const () (gdb) bt #0 0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const () #1 0x000000000069e74b in Exiv2::Internal::TiffImageEntry::setStrips(Exiv2::Value const*, unsigned char const*, unsigned int, unsigned int) () #2 0x00000000006d87f2 in Exiv2::Internal::TiffReader::readDataEntryBase(Exiv2::Internal::TiffDataEntryBase*) () #3 0x00000000006a7226 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) () #4 0x00000000006a6f45 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) () #5 0x00000000006c0618 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) () #6 0x00000000006bbd00 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) () #7 0x00000000006b901f in Exiv2::TiffImage::readMetadata() () #8 0x0000000000464434 in Action::Print::printSummary() () #9 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () #10 0x0000000000439762 in main () Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Please use CVE-2017-11591 for this issue.
I reported this to the upstream developers: https://github.com/Exiv2/exiv2/issues/55
This has been fixed in upstream.
Fixed with exiv2-0.27.0-1.el7_6.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101