Bug 1473888 - There is a Floating point exception in Exiv2::ValueType of exiv2.
Summary: There is a Floating point exception in Exiv2::ValueType of exiv2.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
Depends On:
Blocks: CVE-2017-11591
TreeView+ depends on / blocked
Reported: 2017-07-22 04:14 UTC by owl337
Modified: 2019-08-06 12:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-06 12:46:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Triggered by "./exiv2 POC8" (398 bytes, application/x-rar)
2017-07-22 04:14 UTC, owl337
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 0 None None None 2019-08-06 12:47:09 UTC

Description owl337 2017-07-22 04:14:53 UTC
Created attachment 1302633 [details]
Triggered by "./exiv2 POC8"

Description of problem:

There is a Floating point exception in Exiv2::ValueType of exiv2.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 POC8

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC8

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Error: Directory Image, entry 0x0000 has invalid size 4286578688*8; skipping entry.
Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored.

Program received signal SIGFPE, Arithmetic exception.
0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const ()
(gdb) bt
#0  0x000000000085bd64 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const ()
#1  0x000000000069e74b in Exiv2::Internal::TiffImageEntry::setStrips(Exiv2::Value const*, unsigned char const*, unsigned int, unsigned int) ()
#2  0x00000000006d87f2 in Exiv2::Internal::TiffReader::readDataEntryBase(Exiv2::Internal::TiffDataEntryBase*) ()
#3  0x00000000006a7226 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) ()
#4  0x00000000006a6f45 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) ()
#5  0x00000000006c0618 in Exiv2::Internal::TiffParserWorker::parse(unsigned char const*, unsigned int, unsigned int, Exiv2::Internal::TiffHeaderBase*) ()
#6  0x00000000006bbd00 in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) ()
#7  0x00000000006b901f in Exiv2::TiffImage::readMetadata() ()
#8  0x0000000000464434 in Action::Print::printSummary() ()
#9  0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#10 0x0000000000439762 in main ()

Actual results:


Expected results:


Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 Henri Salo 2017-07-30 12:59:37 UTC
Please use CVE-2017-11591 for this issue.

Comment 5 Raphaël Hertzog 2017-08-31 14:42:37 UTC
I reported this to the upstream developers: https://github.com/Exiv2/exiv2/issues/55

Comment 6 Henri Salo 2018-10-26 09:06:43 UTC
This has been fixed in upstream.

Comment 8 Jan Grulich 2019-01-28 16:08:21 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 12 errata-xmlrpc 2019-08-06 12:46:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.