Bug 1473888 - There is a Floating point exception in Exiv2::ValueType of exiv2.
There is a Floating point exception in Exiv2::ValueType of exiv2.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: Reopened
Depends On:
Blocks: CVE-2017-11591
  Show dependency treegraph
 
Reported: 2017-07-22 00:14 EDT by owl337
Modified: 2017-08-31 10:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 11:37:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 POC8" (398 bytes, application/x-rar)
2017-07-22 00:14 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-22 00:14:53 EDT
Created attachment 1302633 [details]
Triggered by "./exiv2 POC8"

Description of problem:

There is a Floating point exception in Exiv2::ValueType of exiv2.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 POC8

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC8

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Error: Directory Image, entry 0x0000 has invalid size 4286578688*8; skipping entry.
Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored.

Program received signal SIGFPE, Arithmetic exception.
0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const ()
(gdb) bt
#0  0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const ()
#1  0x000000000069e74b in Exiv2::Internal::TiffImageEntry::setStrips(Exiv2::Value const*, unsigned char const*, unsigned int, unsigned int) ()
#2  0x00000000006d87f2 in Exiv2::Internal::TiffReader::readDataEntryBase(Exiv2::Internal::TiffDataEntryBase*) ()
#3  0x00000000006a7226 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) ()
#4  0x00000000006a6f45 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) ()
#5  0x00000000006c0618 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) ()
#6  0x00000000006bbd00 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) ()
#7  0x00000000006b901f in Exiv2::TiffImage::readMetadata() ()
#8  0x0000000000464434 in Action::Print::printSummary() ()
#9  0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#10 0x0000000000439762 in main ()

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 Henri Salo 2017-07-30 08:59:37 EDT
Please use CVE-2017-11591 for this issue.
Comment 5 Raphaël Hertzog 2017-08-31 10:42:37 EDT
I reported this to the upstream developers: https://github.com/Exiv2/exiv2/issues/55

Note You need to log in before you can comment on or make changes to this bug.