Bug 1473888 - There is a Floating point exception in Exiv2::ValueType of exiv2.
Summary: There is a Floating point exception in Exiv2::ValueType of exiv2.
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2   
(Show other bugs)
Version: 7.5-Alt
Hardware: x86_64 Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks: CVE-2017-11591
TreeView+ depends on / blocked
 
Reported: 2017-07-22 04:14 UTC by owl337
Modified: 2019-01-28 16:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 15:37:10 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 POC8" (398 bytes, application/x-rar)
2017-07-22 04:14 UTC, owl337
no flags Details

Description owl337 2017-07-22 04:14:53 UTC
Created attachment 1302633 [details]
Triggered by "./exiv2 POC8"

Description of problem:

There is a Floating point exception in Exiv2::ValueType of exiv2.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 POC8

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC8

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Error: Directory Image, entry 0x0000 has invalid size 4286578688*8; skipping entry.
Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored.

Program received signal SIGFPE, Arithmetic exception.
0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const ()
(gdb) bt
#0  0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const ()
#1  0x000000000069e74b in Exiv2::Internal::TiffImageEntry::setStrips(Exiv2::Value const*, unsigned char const*, unsigned int, unsigned int) ()
#2  0x00000000006d87f2 in Exiv2::Internal::TiffReader::readDataEntryBase(Exiv2::Internal::TiffDataEntryBase*) ()
#3  0x00000000006a7226 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) ()
#4  0x00000000006a6f45 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) ()
#5  0x00000000006c0618 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) ()
#6  0x00000000006bbd00 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) ()
#7  0x00000000006b901f in Exiv2::TiffImage::readMetadata() ()
#8  0x0000000000464434 in Action::Print::printSummary() ()
#9  0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#10 0x0000000000439762 in main ()

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 Henri Salo 2017-07-30 12:59:37 UTC
Please use CVE-2017-11591 for this issue.

Comment 5 Raphaël Hertzog 2017-08-31 14:42:37 UTC
I reported this to the upstream developers: https://github.com/Exiv2/exiv2/issues/55

Comment 6 Henri Salo 2018-10-26 09:06:43 UTC
This has been fixed in upstream.

Comment 8 Jan Grulich 2019-01-28 16:08:21 UTC
Fixed with exiv2-0.27.0-1.el7_6.


Note You need to log in before you can comment on or make changes to this bug.