Bug 1473889 - There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2.
There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: Reopened
Depends On:
Blocks: CVE-2017-11592
  Show dependency treegraph
Reported: 2017-07-22 00:18 EDT by owl337
Modified: 2017-08-31 10:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-25 11:37:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Triggered by "./exiv2 POC9" (300 bytes, application/x-rar)
2017-07-22 00:18 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-22 00:18:52 EDT
Created attachment 1302634 [details]
Triggered by "./exiv2 POC9"

Description of problem:

There is alloc-dealloc-mismatch in  Exiv2::FileIo::seek of exiv2.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 POC9

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC9

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__GI_fseek (fp=0x4647000000e900, offset=0, whence=1) at fseek.c:38
38	fseek.c: No such file or directory.
(gdb) bt
#0  __GI_fseek (fp=0x4647000000e900, offset=0, whence=1) at fseek.c:38
#1  0x00000000004c85e8 in Exiv2::FileIo::seek(long, Exiv2::BasicIo::Position) ()
#2  0x0000000000585750 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
#3  0x000000000058b15c in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) ()
#4  0x00000000006bf786 in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) ()
#5  0x00000000006b8eb9 in Exiv2::TiffImage::readMetadata() ()
#6  0x0000000000464434 in Action::Print::printSummary() ()
#7  0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#8  0x0000000000439762 in main ()

The asan debug info is as follows:

==63376==ERROR: AddressSanitizer: alloc-dealloc-mismatch (INVALID vs operator delete) on 0x60300000d570
    #0 0x4e1c92  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1c92)
    #1 0x7f0c7c7d0bda  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cbda)
    #2 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #3 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #4 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #5 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #6 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #7 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #8 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #9 0x7f0c7b54ac91  (/lib/x86_64-linux-gnu/libc.so.6+0x39c91)
    #10 0x7f0c7b54ace4  (/lib/x86_64-linux-gnu/libc.so.6+0x39ce4)
    #11 0x7f0c7b531ac6  (/lib/x86_64-linux-gnu/libc.so.6+0x20ac6)
    #12 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60300000d570 is located 0 bytes inside of 4293853440-byte region [0x60300000d570,0x6030ffefd670)
==63376==AddressSanitizer: while reporting a bug found another one. Ignoring.

Actual results:


Expected results:


Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 Henri Salo 2017-07-30 08:59:51 EDT
Please use CVE-2017-11592 for this issue.
Comment 5 Raphaël Hertzog 2017-08-31 10:47:56 EDT
I forwarded this to the upstream developers: https://github.com/Exiv2/exiv2/issues/56

Note You need to log in before you can comment on or make changes to this bug.