1475123 – There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1475123 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.

Summary: There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	exiv2
Sub Component:
Version:	7.5-Alt
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Grulich
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-26 06:32 UTC by owl337
Modified:	2019-08-06 12:47 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 12:46:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Triggered by "./exiv2 $POC" (362 bytes, application/x-rar) 2017-07-26 06:32 UTC, owl337	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2101	0	None	None	None	2019-08-06 12:47:09 UTC

Description owl337 2017-07-26 06:32:22 UTC

Created attachment 1304603 [details]
Triggered by  "./exiv2 $POC"

Description of problem:

There is an assertion aborted in  tiffvisitor.cpp of  exiv2/libexiv2.

Version-Release number of selected component (if applicable):

the latest trunk version

How reproducible:

./exiv2 POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC

invalid type value detected in Image::printIFDStructure:  0
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.
Aborted


GDB debugging information is as follows:
(gdb) set args POC
(gdb) b tiffvisitor.cpp:1299 
Breakpoint 1 at 0x7ffff75c08bd: file tiffvisitor.cpp, line 1299.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/real/exiv2-trunk/install/bin/exiv2 ../output/crashes/id:000034,sig:06,src:004666,op:int32,pos:198,val:be:+100
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
invalid type value detected in Image::printIFDStructure:  0

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68c1b0) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) c 42 
Will ignore next 41 crossings of breakpoint 1.  Continuing.
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68b020) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) n
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) 
(gdb) bt
#0  0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6691e2a in __GI_abort () at abort.c:89
#2  0x00007ffff66890bd in __assert_fail_base (fmt=0x7ffff67eaf78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x7ffff770d9d2 "tc.get()", file=file@entry=0x7ffff770ccc2 "tiffvisitor.cpp", 
    line=line@entry=1299, 
    function=function@entry=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:92
#3  0x00007ffff6689172 in __GI___assert_fail (assertion=0x7ffff770d9d2 "tc.get()", 
    file=0x7ffff770ccc2 "tiffvisitor.cpp", line=1299, 
    function=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:101
#4  0x00007ffff75c17ba in Exiv2::Internal::TiffReader::visitDirectory (this=<optimized out>, object=<optimized out>)
    at tiffvisitor.cpp:1299
#5  0x00007ffff758842a in Exiv2::Internal::TiffDirectory::doAccept (this=0x68b020, visitor=...) at tiffcomposite.cpp:916
#6  0x00007ffff758883d in Exiv2::Internal::TiffComponent::accept (this=0x68b020, visitor=...) at tiffcomposite.cpp:891
#7  Exiv2::Internal::TiffSubIfd::doAccept (this=0x68b290, visitor=...) at tiffcomposite.cpp:931
#8  0x00007ffff758850c in Exiv2::Internal::TiffComponent::accept (this=0x68b290, visitor=...) at tiffcomposite.cpp:891
#9  Exiv2::Internal::TiffDirectory::doAccept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:919
#10 0x00007ffff7588268 in Exiv2::Internal::TiffComponent::accept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:891
#11 0x00007ffff759f7d4 in Exiv2::Internal::TiffParserWorker::parse (pData=<optimized out>, size=<optimized out>, 
    root=<optimized out>, pHeader=<optimized out>) at tiffimage.cpp:2011
#12 0x00007ffff759bf9f in Exiv2::Internal::TiffParserWorker::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712, root=131072, findDecoderFct=0x2c8, pHeader=<optimized out>)
    at tiffimage.cpp:1900
---Type <return> to continue, or q <return> to quit---
#13 0x00007ffff75995fa in Exiv2::TiffParser::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712) at tiffimage.cpp:260
#14 Exiv2::TiffImage::readMetadata (this=0x68c000) at tiffimage.cpp:192
#15 0x0000000000426ecb in Action::Print::printSummary (this=0x68bd10) at actions.cpp:289
#16 0x0000000000426a4c in Action::Print::run (this=0x68bd10, path=...) at actions.cpp:244
#17 0x00000000004078c0 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170

This vulnerability was triggered after the TiffReader::visitDirectory(TiffDirectory* object) at  tiffvisitor.cpp:1299

1260     void TiffReader::visitDirectory(TiffDirectory* object)
 ...
1286         for (uint16_t i = 0; i < n; ++i) {
1287             if (p + 12 > pLast_) {
1288 #ifndef SUPPRESS_WARNINGS
1289                 EXV_ERROR << "Directory " << groupName(object->group())
1290                           << ": IFD entry " << i
1291                           << " lies outside of the data buffer.\n";
1292 #endif
1293                 return;
1294             }
1295             uint16_t tag = getUShort(p, byteOrder());
1296             TiffComponent::AutoPtr tc = TiffCreator::create(tag, object->group());
1297             // The assertion typically fails if a component is not configured in
1298             // the TIFF structure table
1299             assert(tc.get());
1300             tc->setStart(p);
1301             object->addChild(tc);
1302             p += 12;
1303         }
 ...


Actual results:


Expected results:


Additional info:

Comment 3 Jan Grulich 2019-01-28 16:08:16 UTC

Fixed with exiv2-0.27.0-1.el7_6.

Comment 7 errata-xmlrpc 2019-08-06 12:46:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101

Note You need to log in before you can comment on or make changes to this bug.